Difference between source/destination and server/client

I'm currently evaluating the SIEM app for integration in our security workflows, and converting most of our datasets to ECS for that purpose. I'm puzzled by the existence of both client/server and source/destination for network connections. The doc says:

Client / server representations can add semantic context to an exchange, which is helpful to visualize the data in certain situations. 

I'm curious in which situations this extra semantic context is meaningful. Are there any cases where the source is not the client or the destination not the server ? Are there any cases where we would have a source/destination but no client/server ?

1 Like


Source and destination should always be filled. This is the baseline we expect to always be present in SIEM.

I'm not sure consumers of ECS such as SIEM are using the client/server pair at this time. But you can add it to your events where you prefer this terminology.

I think there's a few edge cases where only client is used, like in APM's RUM events

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.