title: Elastic filebeat (from 7.x) index pattern and field mapping following Elastic Common Schema
order: 20
backends:
  - es-qs
  - es-dsl
  - es-rule
  - es-rule-eql
  - es-eql
  - kibana
  - kibana-ndjson
  - xpack-watcher
  - elastalert
  - elastalert-dsl
  - ee-outliers

defaultindex: filebeat-*
    
fieldmappings:
    # iptable
    message: log.original
    IN: iptables.input_device
    OUT: iptables.output_device
    MAC: destination.mac
    SRC: source.ip
    SPT: source.port
    DST: destination.ip
    DPT: destination.port
    SEQ: iptables.tcp.seq
    ACK: iptables.tcp.ack
    PROTO: network.transport
    # rule network
    action: event.action
    dst_ip: destination.ip
    dst_port: destination.port
    src_ip: source.ip
    answer: dns.answers.name
    c-dns: dns.question.name
    dns_query: dns.question.name
    parent_domain: dns.question.registered_domain
    query: dns.question.name
    QueryName: dns.question.name
    r-dns: dns.question.name
    record_type: dns.type
    response: dns.answers