I am trying to get Packetbeat to populate the url.extension
field. It is in ECS and reported as an exported field for Packetbeat, but I cannot get it to work.
In the below example, I would think it should be url.extension : txt
.
Thanks in advance.
Sample
{
"_index": "packetbeat-7.13.0-2021.05.27-000001",
"_type": "_doc",
"_id": "qb-YsHkBaLY-wtaGkYay",
"_version": 1,
"_score": null,
"fields": {
"event.category": [
"network_traffic",
"network"
],
"host.os.name.text": [
"Windows 10 Home"
],
"server.ip": [
"192.168.1.132"
],
"user_agent.original.text": [
"curl/7.55.1"
],
"host.hostname": [
"system-1"
],
"type": [
"http"
],
"host.mac": [
"08:00:27:af:27:05",
"08:00:27:25:b4:1d"
],
"http.request.method": [
"get"
],
"host.os.version": [
"10.0"
],
"http.response.bytes": [
326
],
"host.os.name": [
"Windows 10 Home"
],
"source.ip": [
"10.0.4.15"
],
"agent.name": [
"system-1"
],
"http.request.headers.content-length": [
0
],
"network.community_id": [
"1:N3spwyL5MkI9pdKXDRJxWl5Ro5A="
],
"host.name": [
"system-1"
],
"http.response.status_code": [
200
],
"http.version": [
"1.1"
],
"event.kind": [
"event"
],
"user_agent.original": [
"curl/7.55.1"
],
"host.os.type": [
"windows"
],
"method": [
"get"
],
"query": [
"GET /enroll.txt"
],
"client.ip": [
"10.0.4.15"
],
"agent.hostname": [
"system-1"
],
"host.architecture": [
"x86_64"
],
"http.response.status_phrase": [
"ok"
],
"url.path": [
"/enroll.txt"
],
"source.port": [
61053
],
"agent.id": [
"e380159b-3f97-45de-957b-b8b6fb9719ca"
],
"bytes_out": [
326
],
"client.port": [
61053
],
"ecs.version": [
"1.9.0"
],
"agent.version": [
"7.13.0"
],
"destination.bytes": [
326
],
"host.os.family": [
"windows"
],
"event.start": [
"2021-05-28T01:30:58.931Z"
],
"status": [
"OK"
],
"server.bytes": [
326
],
"destination.port": [
8000
],
"bytes_in": [
92
],
"event.end": [
"2021-05-28T01:30:58.940Z"
],
"url.scheme": [
"http"
],
"host.os.build": [
"17763.1577"
],
"http.request.bytes": [
92
],
"host.ip": [
"fe80::9dfb:2aae:7112:2f1a",
"172.16.0.4",
"fe80::b9b0:36e6:1851:225d",
"10.0.4.15"
],
"agent.type": [
"packetbeat"
],
"network.protocol": [
"http"
],
"related.ip": [
"10.0.4.15",
"192.168.1.132"
],
"host.os.kernel": [
"10.0.17763.1577 (WinBuild.160101.0800)"
],
"url.port": [
8000
],
"server.port": [
8000
],
"network.bytes": [
418
],
"network.direction": [
"egress"
],
"url.full": [
"http://192.168.1.132:8000/enroll.txt"
],
"host.id": [
"918837dd-23bd-46e8-acae-f5e8f0cbb947"
],
"network.type": [
"ipv4"
],
"source.bytes": [
92
],
"http.response.headers.content-length": [
140
],
"destination.ip": [
"192.168.1.132"
],
"url.full.text": [
"http://192.168.1.132:8000/enroll.txt"
],
"http.response.body.bytes": [
140
],
"network.transport": [
"tcp"
],
"event.duration": [
8540000
],
"http.response.headers.content-type": [
"text/plain"
],
"@timestamp": [
"2021-05-28T01:30:58.931Z"
],
"host.os.platform": [
"windows"
],
"client.bytes": [
92
],
"event.type": [
"connection",
"protocol"
],
"url.domain": [
"192.168.1.132"
],
"agent.ephemeral_id": [
"c4bfc6e4-b383-42ac-b1b3-9784c41eca16"
],
"event.dataset": [
"http"
]
},
"highlight": {
"user_agent.original": [
"@kibana-highlighted-field@curl/7.55.1@/kibana-highlighted-field@"
]
},
"sort": [
1622165458931
]
}