Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[RFC] Stge 0 - New fieldset for volume device #2201

Merged
merged 19 commits into from
Jun 9, 2023
Merged

[RFC] Stge 0 - New fieldset for volume device #2201

merged 19 commits into from
Jun 9, 2023

Conversation

Trinity2019
Copy link
Contributor

@Trinity2019 Trinity2019 commented Apr 25, 2023
edited
Loading

  • Have you signed the contributor license agreement? - Yes
  • Have you followed the contributor guidelines? - Yes
  • For proposing substantial changes or additions to the schema, have you reviewed the RFC process? - Yes
  • If submitting code/script changes, have you verified all tests pass locally using make test? - N/A
  • If submitting schema/fields updates, have you generated new artifacts by running make and committed those changes? - N/A
  • Is your pull request against main? Unless there is a good reason otherwise, we prefer pull requests against main and will backport as needed. - Yes
  • Have you added an entry to the CHANGELOG.next.md? - N/A

@Trinity2019 Trinity2019 changed the title save draft New fieldset for removable media Apr 25, 2023
@Trinity2019 Trinity2019 changed the title New fieldset for removable media New fieldset for volume device Apr 25, 2023
@Trinity2019 Trinity2019 changed the title New fieldset for volume device [RFC] Stge 0 - New fieldset for volume device Apr 25, 2023
Trinity2019
Trinity2019 commented Apr 25, 2023
View reviewed changes
rfcs/text/0040-removable-media-device.md Outdated Show resolved Hide resolved
rfcs/text/0040-removable-media-device.md Outdated
* volume.mount_name
* volume.device_name
* volume.dos_name
* volume.nt_name
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

above 2 fields are Windows specific

rfcs/text/0040-removable-media-device.md Outdated
This RFC propose adding the volume device fieldset to describe volume storage devices that are removable disks such as USB, mountable virtual disks such as ISO.

* volume.mount_name
* volume.device_name
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

above 2 fields are posix specific

@Trinity2019 Trinity2019 marked this pull request as ready for review May 9, 2023 21:17
@Trinity2019 Trinity2019 requested a review from a team as a code owner May 9, 2023 21:17
ebeahan
ebeahan reviewed May 12, 2023
View reviewed changes
Copy link
Member

@ebeahan ebeahan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the proposal, @Trinity2019.

The motivation of describing alerts and event associated with volumes makes sense as an addition to ECS.

rfcs/text/0040-volume-device.md Outdated Show resolved Hide resolved
Trinity2019
Trinity2019 commented May 15, 2023
View reviewed changes
rfcs/text/0040-volume-device.md
* volume.vendor_name
* volume.serial_number
* volume.volume_device_type
* volume.action
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

volume.action will be like "attach", "detach", "mount", "unmount". I'm hesitating to place it here. Seems event.action is a better place to save such information. Because these volumes fields will be part of a device event, similar to process events whose event.action can be "start"/"end".
thoughts?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd also prefer to use the existing event.action field over introducing an additional *.action field, if we can avoid it.

ebeahan
ebeahan approved these changes May 18, 2023
View reviewed changes
Copy link
Member

@ebeahan ebeahan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

Should anyone else give another review before we merge this RFC as stage 0?

@stanek-michal
Copy link
Contributor

LGTM.

Should anyone else give another review before we merge this RFC as stage 0?

I reviewed this as well, I think we can go ahead with merging

@ebeahan ebeahan merged commit acfada3 into elastic:main Jun 9, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ebeahan ebeahan ebeahan approved these changes

@stanek-michal stanek-michal stanek-michal approved these changes

Assignees
No one assigned
Labels
RFC
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Trinity2019 @stanek-michal @ebeahan