Elastic Common Schema (ECS) 入門介紹
Elasticsearch 數據結構在過去主要由使用者自行定義資料結構,對於跨資料的關聯搜尋,可以透過訂製一些通用規範來達到資料追蹤。
但事實上,要做到這件事情會有一些困難,只能針對已知的結構來定義追蹤的規範,一旦有新增需求或調整結構都會造成許多不方便。另外,與不同組織合作時,兩方串接也會需要花費許多時間來討論定義這些通用結構。
就在 2019 年 2 月 Elastic 官方推出了 Elastic Common Schema(ECS, ES通用架構) 開源的規範,可讓使用者可以透過一制性的規範來搜集一些通用的數據結構,這樣的好處可以在不同的資料來源,可以透過 ECS 來做資料關聯搜尋及可視化分析,只要不同組織資料需要做關聯分析時,透過 ECS 就能夠增加溝通效率。因此,用戶只需要將資料映射到 ECS 資料結構即可。接下,針對 ECS 的一些基本結構及用法進行說明:
使用 ECS 的好處
當我們的數據結構開始採用 ECS 的規範,在官方提到會有以下好處
- 正規化的 event 數據,可以更容易地進行分析,視覺化以及關聯
- 不同數據源容易建立集合,可以更輕鬆的將所有分析模型整合
- 不需要花費太多時間在資料欄位命名及型別討論
- 非強制性,可以隨時採用及棄用
起步 開始使用 ECS
在 Elastic 官方,關於 ECS 的定義可以在 這裏 查看,在基本結構主要可分成兩大類別:
- Core fields
- Extended fields
Core Fields 是在各種 case 最常使用的一些欄位,這些欄位會被應用在內容分析,包括 搜尋,可視化,警報,機器學習,報表。因此,可以在任何的資料透過 Core fields 來讓內容分析可以更有效率。
Extended fields 意思是,非 core fileds 都可以稱為 extended fields,這些資料可能是僅限於某些非通用,只適合特定用途,並且可能會隨著時間而變更欄位名稱。
ECS 通用建議:
- 每一筆資料都需要 @timestamp 欄位
- 使用 Elastic 所定義的 Field data types
- 透過 ecs.version 欄位,定義目前使用的是哪一個 ECS 版本
- 資料結構盡可能的多使用 ECS 規範的名稱
欄位建議:
- 所有欄位名稱使用小寫(lower case)
- 命名使用下底線(underscore) 而不是駝峰
- 除了下底線,不要使用其他特殊字元
- 使用現在式的方式描述,除非欄位描述是歷史相關資訊
- 正確的使用單複數,例如每秒多請求命名
requests_per_sec - 使用"前綴"將相關的功能做群組管理
- 欄位儲存原始的資料結構透過 dot(.) - 欄位盡量用原始物件格式,例如 json,而不是包含 dot 連結的字串
- 避免重複的贅詞,例如,host.host_ip 可以調整為 host.ip
- 盡可能避免縮寫
ECS 欄位參考
ECS 將許多欄位針對用途進行分組,例如,每個事件 root 節點的 ECS 都放在 Base 組別,完整的 ECS Field reference 可以直接操考官方[說明](https://www.elastic.co/guide/en/ecs/current/ecs-field-reference.html_,相關的欄位如下:
| Field Set | Description |
|---|---|
| Base | All fields defined directly at the root of the events. |
| Agent | Fields about the monitoring agent. |
| Autonomous System | Fields describing an Autonomous System (Internet routing prefix). |
| Client | Fields about the client side of a network connection, used with server. |
| Cloud | Fields about the cloud resource. |
| Code Signature | These fields contain information about binary code signatures. |
| Container | Fields describing the container that generated this event. |
| Destination | Fields about the destination side of a network connection, used with source. |
| DLL | These fields contain information about code libraries dynamically loaded into processes. |
| DNS | Fields describing DNS queries and answers. |
| ECS | Meta-information specific to ECS. |
| Error | Fields about errors of any kind. |
| Event | Fields breaking down the event details. |
| File | Fields describing files. |
| Geo | Fields describing a location. |
| Group | User’s group relevant to the event. |
| Hash | Hashes, usually file hashes. |
| Host | Fields describing the relevant computing instance. |
| HTTP | Fields describing an HTTP request. |
| Interface | Fields to describe observer interface information. |
| Log | Details about the event’s logging mechanism. |
| Network | Fields describing the communication path over which the event happened. |
| Observer | Fields describing an entity observing the event from outside the host. |
| Organization | Fields describing the organization or company the event is associated with. |
| Operating System | OS fields contain information about the operating system. |
| Package | These fields contain information about an installed software package. |
| PE Header | These fields contain Windows Portable Executable (PE) metadata. |
| Process | These fields contain information about a process. |
| Registry | Fields related to Windows Registry operations. |
| Related | Fields meant to facilitate pivoting around a piece of data. |
| Rule | Fields to capture details about rules used to generate alerts or other notable events. |
| Server | Fields about the server side of a network connection, used with client. |
| Service | Fields describing the service for or from which the data was collected. |
| Source | Fields about the source side of a network connection, used with destination. |
| Threat | Fields to classify events and alerts according to a threat taxonomy. |
| TLS | Fields describing a TLS connection. |
| Tracing | Fields related to distributed tracing. |
| URL | Fields that let you store URLs in various forms. |
| User | Fields to describe the user relevant to the event. |
| User agent | Fields to describe a browser user_agent string. |
| VLAN | Fields to describe observed VLAN information. |
| Vulnerability | Fields to describe the vulnerability relevant to an event. |
| x509 Certificate | These fields contain x509 certificate metadata. |
在這裡舉個官方提供的例子,在 Apache 的 log 紀錄格式如下:
10.42.42.42 - - [15/Jul/2020:20:48:32 +0000] "GET /content HTTP/1.1" 200 2571 "-"
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/83.0.4103.106 Safari/537.36"
對應 ECS 的欄位命名,可以結構化成以下內容:
| Field Name | Value |
|---|---|
| @timestamp | 2020-07-15T20:20:48.000Z |
| event.original | 10.42.42.42 - - [15/Jul/2020:20:48:32 +0000] “GET /content HTTP/1.1” 200 2571 “-” “Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.106 Safari/537.36 |
| http.request.method | GET |
| http.response.body.bytes | 2571 |
| http.response.status_code | 200 |
| http.version | 1.1 |
| message | GET /content HTTP/1.1” 200 2571 “-” “Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.106 Safari/537.36 |
| source.address | 10.42.42.42 |
| source.ip | 10.42.42.42 |
| url.original | /content |
| user_agent.original | Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.106 Safari/537.36 |
在 ECS 規範中,我們會再增加一些欄位來增加跨資料的搜尋及統計便利性,例如前面提到的 ecs.version, 或者增加一些事件說明 event.dataset, event.module 等等
| Field Name | Value |
|---|---|
| ecs.version | 1.5.0 |
| event.module | apache |
| event.dataset | apache.access |
| event.kind | event |
| event.category | [ “network”, “web” ] |
| event.type | [ “access” ] |
| event.outcome | success |
另外,在使用 collectors (例如: Beats ) 傳送資訊時,可以進行 enrich 一些資料,讓這些 event 能有更豐富的 metadata 內容,例如:
| Field Name | Value | Processor |
|---|---|---|
| host.architecture | x86_64 | add_host_metadata |
| host.hostname | mbp.example.com | add_host_metadata |
| host.ip | [ “192.168.1.100” ] | add_host_metadata |
| host.os.family | darwin | add_host_metadata |
| host.os.kernel | 19.4.0 | add_host_metadata |
| host.os.name | Mac OS X | add_host_metadata |
| host.os.version | 10.15.4 | add_host_metadata |
| user_agent.name | Chrome | user_agent |
| user_agent.os.full | Mac OS X 10.15.4 | user_agent |
| user_agent.os.name | Mac OS X | user_agent |
| user_agent.os.version | 10.15.4 | user_agent |
| user_agent.version | 83.0.4103.106 | user_agent |
參考:
[Why does ECS use a dot notation instead of an underline notation?](