From 7f35a782d49bdb586d6759cec520e7a3b8b256ed Mon Sep 17 00:00:00 2001 From: Andrew Kroh Date: Thu, 18 Mar 2021 09:35:24 -0400 Subject: [PATCH] Set event.type for Packetbeat flow events (#24564) Add `event.type: [connection]` to flow events and include `end` for final flows. --- CHANGELOG.next.asciidoc | 1 + packetbeat/flows/worker.go | 6 ++++++ packetbeat/tests/system/test_0060_flows.py | 1 + 3 files changed, 8 insertions(+) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 752307d1e76..e952941670a 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -1034,6 +1034,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Tuned the internal queue size to reduce the chances of events being dropped. {pull}22650[22650] - Add support for "http.request.mime_type" and "http.response.mime_type". {pull}22940[22940] - Upgrade to ECS 1.8.0. {pull}23783[23783] +- Add `event.type: [connection]` to flow events and include `end` for final flows. {pull}24564[24564] *Functionbeat* diff --git a/packetbeat/flows/worker.go b/packetbeat/flows/worker.go index 2a9ca482ed3..f0080cf68d2 100644 --- a/packetbeat/flows/worker.go +++ b/packetbeat/flows/worker.go @@ -220,6 +220,12 @@ func createEvent( "category": []string{"network"}, "action": "network_flow", } + eventType := []string{"connection"} + if isOver { + eventType = append(eventType, "end") + } + event["type"] = eventType + flow := common.MapStr{ "id": common.NetString(f.id.Serialize()), "final": isOver, diff --git a/packetbeat/tests/system/test_0060_flows.py b/packetbeat/tests/system/test_0060_flows.py index ab2e91bfbbc..ae6a4f923fb 100644 --- a/packetbeat/tests/system/test_0060_flows.py +++ b/packetbeat/tests/system/test_0060_flows.py @@ -47,6 +47,7 @@ def test_mysql_flow(self): 'source.bytes': 1480, 'destination.packets': 10, 'destination.bytes': 181133, + 'event.type': ['connection', 'end'], }) start_ts = parse_timestamp(objs[0]['event.start'])