forked from elastic/ecs
-
Notifications
You must be signed in to change notification settings - Fork 0
/
vlan.yml
62 lines (55 loc) · 2.32 KB
/
vlan.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
# Licensed to Elasticsearch B.V. under one or more contributor
# license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright
# ownership. Elasticsearch B.V. licenses this file to you under
# the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
---
- name: vlan
title: VLAN
group: 2
short: Fields to describe observed VLAN information.
description: >
The VLAN fields are used to identify 802.1q tag(s) of a packet, as well as ingress and
egress VLAN associations of an observer in relation to a specific packet or connection.
Network.vlan fields are used to record a single VLAN tag, or the outer tag in the case
of q-in-q encapsulations, for a packet or connection as observed, typically provided by a
network sensor (e.g. Zeek, Wireshark) passively reporting on traffic.
Network.inner VLAN fields are used to report inner q-in-q 802.1q tags (multiple
802.1q encapsulations) as observed, typically provided by a network sensor (e.g. Zeek,
Wireshark) passively reporting on traffic. Network.inner VLAN fields should only be used
in addition to network.vlan fields to indicate q-in-q tagging.
Observer.ingress and observer.egress VLAN values are used to record observer specific
information when observer events contain discrete ingress and egress VLAN information,
typically provided by firewalls, routers, or load balancers.
reusable:
top_level: false
expected:
- observer.ingress
- observer.egress
- network
- network.inner
type: group
fields:
- name: id
level: extended
type: keyword
example: 10
description: >
VLAN ID as reported by the observer.
- name: name
level: extended
type: keyword
example: outside
description: >
Optional VLAN name as reported by the observer.