Implement ECS schema 1.5 (#60)

Implement ECS schema 1.5

Author: codebrain

src/Elastic.CommonSchema.Serilog/Http/HttpContextAccessorAdapter.cs

@@ -109,20 +109,35 @@ public Url Url
 					Original = _httpContextAccessor.HttpContext.Request.Path,
 					Full = uri.ToString(),
 					Scheme = uri.Scheme,
-					Query = uri.Query,
+					Query = string.IsNullOrEmpty(uri.Query) ? null : uri.Query,
 					Domain = uri.Authority,
 					Port = uri.Port
 				};
 			}
 		}
 
-		public Server Server => _httpContextAccessor.HttpContext == null ? null : new Server
+		public Server Server
 		{
-			Domain = ConvertToUri(_httpContextAccessor.HttpContext.Request).Authority
-		};
+			get
+			{
+				if (_httpContextAccessor.HttpContext == null)
+					return null;
+
+				var ip4 = _httpContextAccessor.HttpContext.Connection.LocalIpAddress.MapToIPv4();
+
+				var uri = ConvertToUri(_httpContextAccessor.HttpContext.Request);
+
+				return new Server
+				{
+					Address = ip4.ToString(),
+					Ip = ip4.ToString(),
+					Domain = uri.Authority
+				};
+			}
+		}
 
-		private Uri ConvertToUri(Microsoft.AspNetCore.Http.HttpRequest request)
-			=> new Uri($"{request.Scheme}://{request.Host}{request.Path}");
+		private static Uri ConvertToUri(Microsoft.AspNetCore.Http.HttpRequest request) =>
+			new Uri($"{request.Scheme}://{request.Host}{request.Path}");
 
 		public Client Client
 		{
@@ -131,12 +146,12 @@ public Client Client
 				if (_httpContextAccessor.HttpContext == null)
 					return null;
 
-				var address = _httpContextAccessor.HttpContext.Features.Get<IHttpConnectionFeature>()?.RemoteIpAddress.ToString();
+				var ip4 = _httpContextAccessor.HttpContext.Features.Get<IHttpConnectionFeature>()?.RemoteIpAddress.MapToIPv4();
 
 				return new Client
 				{
-					Address = address,
-					Ip = address,
+					Address = ip4.ToString(),
+					Ip = ip4.ToString(),
 					Bytes = _httpContextAccessor.HttpContext.Request.ContentLength,
 					User = User
 				};
@@ -168,7 +183,7 @@ public User User
 
 				return new User
 				{
-					Id = hasIdClaim ? new[] { idClaim.First().Value } : null,
+					Id = hasIdClaim ? idClaim.First().Value : null,
 					Name = hasNameClaim ? nameClaim.First().Value : null,
 					Email = hasEmailClaim ? emailClaim.First().Value : null,
 					Hash = hasHashClaim ? hashClaim.First().Value : null,

src/Elastic.CommonSchema.Serilog/LogEventConverter.cs

@@ -224,21 +224,22 @@ private static Process GetProcess(LogEvent e, bool mapFromCurrentThread)
 			{
 				return new Process
 				{
-					Title = processName,
+					Title = string.IsNullOrEmpty(processName) ? null : processName,
 					Name = processName,
 					Pid = pid,
-					Thread = int.TryParse(threadId ?? processId ?? "", out var id)
-						? new ProcessThread() { Id = id }
+					Thread = int.TryParse(threadId ?? processId, out var id)
+						? new ProcessThread { Id = id }
 						: null,
 				};
 			}
 
 			var currentThread = Thread.CurrentThread;
 			var process = TryGetProcess(pid);
 
+			var mainWindowTitle = process?.MainWindowTitle;
 			return new Process
 			{
-				Title = process?.MainWindowTitle,
+				Title = string.IsNullOrEmpty(mainWindowTitle) ? null : mainWindowTitle,
 				Name = process?.ProcessName ?? processName,
 				Pid = process?.Id ?? pid,
 				Executable = process?.ProcessName ?? processName,

src/Elastic.CommonSchema/Base.Serialization.cs

@@ -16,10 +16,12 @@ namespace Elastic.CommonSchema.Serialization
 {
 	/// <summary>
 	/// This static class allows you to deserialize subclasses of <see cref="Base"/>
-	/// If you are dealing with <see cref="Base"/> directly you do not need to use this class.
-	/// Use <see cref="Base.Deserialize(string)"/> and the overloads instead.
-	/// Note this class should only be used for advanced use cases, for simpler use cases you can utilise the <see cref="Base.Metadata"/> property.
+	/// If you are dealing with <see cref="Base"/> directly you do not need to use this class,
+	/// use <see cref="Base.Deserialize(string)"/> and the overloads instead.
 	/// </summary>
+	/// <remarks>
+	/// This class should only be used for advanced use cases, for simpler use cases you can utilise the <see cref="Base.Metadata"/> property.
+	/// </remarks>
 	/// <typeparam name="TBase">Type of the <see cref="Base"/> subclass</typeparam>
 	public static class EcsSerializerFactory<TBase> where TBase : Base, new()
 	{

src/Elastic.CommonSchema/Serialization/BaseJsonConverter.cs

@@ -16,7 +16,8 @@ public override TBase Read(ref Utf8JsonReader reader, Type typeToConvert, JsonSe
 				reader.Read();
 				return null;
 			}
-			if (reader.TokenType != JsonTokenType.StartObject) throw new JsonException();
+			if (reader.TokenType != JsonTokenType.StartObject)
+				throw new JsonException();
 
 			var ecsEvent = new TBase();
 

src/Elastic.CommonSchema/Serialization/BaseJsonFormatter.Generated.cs

@@ -41,8 +41,10 @@ ref string loglevel
 				"as" => ReadProp<As>(ref reader, "as", ecsEvent, (b, v) => b.As = v),
 				"client" => ReadProp<Client>(ref reader, "client", ecsEvent, (b, v) => b.Client = v),
 				"cloud" => ReadProp<Cloud>(ref reader, "cloud", ecsEvent, (b, v) => b.Cloud = v),
+				"code_signature" => ReadProp<CodeSignature>(ref reader, "code_signature", ecsEvent, (b, v) => b.CodeSignature = v),
 				"container" => ReadProp<Container>(ref reader, "container", ecsEvent, (b, v) => b.Container = v),
 				"destination" => ReadProp<Destination>(ref reader, "destination", ecsEvent, (b, v) => b.Destination = v),
+				"dll" => ReadProp<Dll>(ref reader, "dll", ecsEvent, (b, v) => b.Dll = v),
 				"dns" => ReadProp<Dns>(ref reader, "dns", ecsEvent, (b, v) => b.Dns = v),
 				"ecs" => ReadProp<Ecs>(ref reader, "ecs", ecsEvent, (b, v) => b.Ecs = v),
 				"error" => ReadProp<Error>(ref reader, "error", ecsEvent, (b, v) => b.Error = v),
@@ -53,12 +55,14 @@ ref string loglevel
 				"hash" => ReadProp<Hash>(ref reader, "hash", ecsEvent, (b, v) => b.Hash = v),
 				"host" => ReadProp<Host>(ref reader, "host", ecsEvent, (b, v) => b.Host = v),
 				"http" => ReadProp<Http>(ref reader, "http", ecsEvent, (b, v) => b.Http = v),
+				"interface" => ReadProp<Interface>(ref reader, "interface", ecsEvent, (b, v) => b.Interface = v),
 				"log" => ReadProp<Log>(ref reader, "log", ecsEvent, (b, v) => b.Log = v),
 				"network" => ReadProp<Network>(ref reader, "network", ecsEvent, (b, v) => b.Network = v),
 				"observer" => ReadProp<Observer>(ref reader, "observer", ecsEvent, (b, v) => b.Observer = v),
 				"organization" => ReadProp<Organization>(ref reader, "organization", ecsEvent, (b, v) => b.Organization = v),
 				"os" => ReadProp<Os>(ref reader, "os", ecsEvent, (b, v) => b.Os = v),
 				"package" => ReadProp<Package>(ref reader, "package", ecsEvent, (b, v) => b.Package = v),
+				"pe" => ReadProp<Pe>(ref reader, "pe", ecsEvent, (b, v) => b.Pe = v),
 				"process" => ReadProp<Process>(ref reader, "process", ecsEvent, (b, v) => b.Process = v),
 				"registry" => ReadProp<Registry>(ref reader, "registry", ecsEvent, (b, v) => b.Registry = v),
 				"related" => ReadProp<Related>(ref reader, "related", ecsEvent, (b, v) => b.Related = v),
@@ -71,6 +75,7 @@ ref string loglevel
 				"url" => ReadProp<Url>(ref reader, "url", ecsEvent, (b, v) => b.Url = v),
 				"user" => ReadProp<User>(ref reader, "user", ecsEvent, (b, v) => b.User = v),
 				"user_agent" => ReadProp<UserAgent>(ref reader, "user_agent", ecsEvent, (b, v) => b.UserAgent = v),
+				"vlan" => ReadProp<Vlan>(ref reader, "vlan", ecsEvent, (b, v) => b.Vlan = v),
 				"vulnerability" => ReadProp<Vulnerability>(ref reader, "vulnerability", ecsEvent, (b, v) => b.Vulnerability = v),
 				_ =>
 					typeof(Base) == ecsEvent.GetType()
@@ -103,8 +108,10 @@ public override void Write(Utf8JsonWriter writer, TBase value, JsonSerializerOpt
 			WriteProp(writer, "as", value.As);
 			WriteProp(writer, "client", value.Client);
 			WriteProp(writer, "cloud", value.Cloud);
+			WriteProp(writer, "code_signature", value.CodeSignature);
 			WriteProp(writer, "container", value.Container);
 			WriteProp(writer, "destination", value.Destination);
+			WriteProp(writer, "dll", value.Dll);
 			WriteProp(writer, "dns", value.Dns);
 			WriteProp(writer, "ecs", value.Ecs);
 			WriteProp(writer, "error", value.Error);
@@ -115,12 +122,14 @@ public override void Write(Utf8JsonWriter writer, TBase value, JsonSerializerOpt
 			WriteProp(writer, "hash", value.Hash);
 			WriteProp(writer, "host", value.Host);
 			WriteProp(writer, "http", value.Http);
+			WriteProp(writer, "interface", value.Interface);
 			WriteProp(writer, "log", value.Log);
 			WriteProp(writer, "network", value.Network);
 			WriteProp(writer, "observer", value.Observer);
 			WriteProp(writer, "organization", value.Organization);
 			WriteProp(writer, "os", value.Os);
 			WriteProp(writer, "package", value.Package);
+			WriteProp(writer, "pe", value.Pe);
 			WriteProp(writer, "process", value.Process);
 			WriteProp(writer, "registry", value.Registry);
 			WriteProp(writer, "related", value.Related);
@@ -133,6 +142,7 @@ public override void Write(Utf8JsonWriter writer, TBase value, JsonSerializerOpt
 			WriteProp(writer, "url", value.Url);
 			WriteProp(writer, "user", value.User);
 			WriteProp(writer, "user_agent", value.UserAgent);
+			WriteProp(writer, "vlan", value.Vlan);
 			WriteProp(writer, "vulnerability", value.Vulnerability);
 			if (typeof(Base) != value.GetType())
 				value.WriteAdditionalProperties((k, v) => WriteProp(writer, k, v));

src/Elastic.CommonSchema/Serialization/EcsJsonConverterBase.cs

@@ -54,8 +54,7 @@ internal static object ReadPropDeserialize(ref Utf8JsonReader reader, Type type)
 			return JsonSerializer.Deserialize(ref reader, type, options);
 		}
 
-		protected static TValue ReadProp<TValue>(ref Utf8JsonReader reader, string key)
-			where TValue : class
+		protected static TValue ReadProp<TValue>(ref Utf8JsonReader reader, string key)  where TValue : class
 		{
 			if (reader.TokenType == JsonTokenType.Null) return null;
 

src/Elastic.CommonSchema/Serialization/LogJsonConverter.cs

@@ -38,7 +38,7 @@ public override Log Read(ref Utf8JsonReader reader, Type typeToConvert, JsonSeri
 					"origin" => ReadProp<LogOrigin>(ref reader, "origin", log, (b, v) => b.Origin = v),
 					"original" => ReadString(ref reader, ref original),
 					"level" => ReadString(ref reader, ref loglevel),
-					"syslog" => ReadProp<LogSyslog[]>(ref reader, "syslog", log, (b, v) => b.Syslog = v),
+					"syslog" => ReadProp<LogSyslog>(ref reader, "syslog", log, (b, v) => b.Syslog = v),
 					"logger" => ReadString(ref reader, ref logger),
 					_ => false
 				};