Implement ECS-Compatibility Mode
yaauie opened this issue ยท 3 comments
As a part of the effort to make plugins able to run in an ECS-Compatible manner
by default in an upcoming release of Logstash, this plugin needs to implement
an ECS-Compatibility mode that does not implicitly use fields that conflict
with ECS.
Absent target directive, this plugin uses root-level field geoip,
which is undefined in ECS and therefore has the possiblity of conflicting
with future versions of ECS. The plugin may benefit from an ECS-Compatibility
mode that requires the target to be set explicitly, by using the ECS-compatible (edit: "the geo fields are not expected to be used
root-level geo object
directly at the top level."), or otherwise reduces the risk of future conflict.
Additional analysis will need to be made to ensure the resulting object is also compatible with the geo field type in ECS.
Plugin will need to be aligned with ES output (default template for geoip: ... needs to be adjusted)
| DB Field Name | ECS Equivalent Subfield Name |
|---|---|
asn |
[as][number] |
as_org |
[as][organization][name] |
city_name |
[geo][city_name] |
country_name |
[geo][country_name] |
continent_code |
N/A |
continent_name |
[geo][continent_name] |
country_code2 |
[geo][country_iso_code] |
country_code3 |
* alias for country_code2 |
ip |
* the ip used for lookup |
isp |
N/A |
postal_code |
N/A |
dma_code |
N/A |
region_name |
[geo][region_name] |
region_code |
[geo][region_iso_code]* (breaking: legacy WA -> ecs US-WA) |
timezone |
N/A |
location |
* alias for latitude & longitude |
latitude |
[geo][location][lat] |
longitude |
[geo][location][lon] |
organization |
N/A |
| it depends | [geo][name] |
asn and as_org map to the autonomous systems fields (https://www.elastic.co/guide/en/ecs/current/ecs-as.html) as.number and as.organization.name respectivly