forked from elastic/ecs
-
Notifications
You must be signed in to change notification settings - Fork 0
/
vlan.yml
45 lines (38 loc) · 1.56 KB
/
vlan.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
- name: vlan
title: VLAN
group: 2
short: Fields to describe observed VLAN information.
description: >
The VLAN fields are used to identify 802.1q tag(s) of a packet, as well as ingress and
egress VLAN associations of an observer in relation to a specific packet or connection.
Network.vlan fields are used to record a single VLAN tag, or the outer tag in the case
of q-in-q encapsulations, for a packet or connection as observed, typically provided by a
network sensor (e.g. Zeek, Wireshark) passively reporting on traffic.
Network.inner VLAN fields are used to report inner q-in-q 802.1q tags (multiple
802.1q encapsulations) as observed, typically provided by a network sensor (e.g. Zeek,
Wireshark) passively reporting on traffic. Network.inner VLAN fields should only be used
in addition to network.vlan fields to indicate q-in-q tagging.
Observer.ingress and observer.egress VLAN values are used to record observer specific
information when observer events contain discrete ingress and egress VLAN information,
typically provided by firewalls, routers, or load balancers.
reusable:
top_level: false
expected:
- observer.ingress
- observer.egress
- network
- network.inner
type: group
fields:
- name: id
level: extended
type: keyword
example: 10
description: >
VLAN ID as reported by the observer.
- name: name
level: extended
type: keyword
example: outside
description: >
Optional VLAN name as reported by the observer.