使用
编辑使用
编辑创建 ECS 事件
编辑创建 EcsDocument 实例的推荐方法是通过
var doc = EcsDocument.CreateNewWithDefaults<EcsDocument>();
这将自动分配大多数可以从运行进程中推断出的常见 ECS 字段。
但是,没有必要这样做,直接创建一个新的 EcsDocument 实例是完全有效且受支持的。
var ecsDocument = new EcsDocument
{
Timestamp = DateTimeOffset.Parse("2019-10-23T19:44:38.485Z"),
Dns = new Dns
{
Id = "23666",
OpCode = "QUERY",
Type = "answer",
QuestionName = "www.example.com",
QuestionType = "A",
QuestionClass = "IN",
QuestionRegisteredDomain = "example.com",
HeaderFlags = new[] { "RD", "RA" },
ResponseCode = "NOERROR",
ResolvedIp = new[] { "10.0.190.47", "10.0.190.117" },
Answers = new[]
{
new DnsAnswers
{
Data = "10.0.190.47",
Name = "www.example.com",
Type = "A",
Class = "IN",
Ttl = 59
},
new DnsAnswers
{
Data = "10.0.190.117",
Name = "www.example.com",
Type = "A",
Class = "IN",
Ttl = 59
}
}
},
Network = new Network
{
Type = "ipv4",
Transport = "udp",
Protocol = "dns",
Direction = "outbound",
CommunityId = "1:19beef+RWVW9+BEEF/Q45VFU+2Y=",
Bytes = 126
},
Source = new Source { Ip = "192.168.86.26", Port = 5785, Bytes = 31 },
Destination = new Destination { Ip = "8.8.4.4", Port = 53, Bytes = 95 },
Client = new Client { Ip = "192.168.86.26", Port = 5785, Bytes = 31 },
Server = new Server { Ip = "8.8.4.4", Port = 53, Bytes = 95 },
Event = new Event
{
Duration = 122433000,
Start = DateTimeOffset.Parse("2019-10-23T19:44:38.485Z"),
End = DateTimeOffset.Parse("2019-10-23T19:44:38.607Z"),
Kind = "event",
Category = new[] { "network_traffic" }
},
Ecs = new Ecs { Version = "1.2.0" },
Metadata = new Dictionary<string, object> { { "client", "ecs-dotnet" } }
};
动态分配 ECS 字段
编辑此外,ECS 字段可以通过以下方式动态分配:
ecsDocument.AssignProperty("orchestrator.cluster.id", "id");
这会将 ecsDocument.Orchestrator.ClusterId 分配给 "id",并在需要时自动创建一个新的 Orchestrator 实例。
任何不是已知 ecs 字段的 string 或 boolean 值都将分配给 labels.*,其他所有内容都将分配给 metatadata.*。