elastic · efd6 · Feb 1, 2024 · Feb 1, 2024
@@ -33,6 +33,29 @@ Currently, Network Packet Capture supports the following protocols:
 
 The following options are available for all protocols:
 
+#### `map_to_ecs`
+
+Remap any non-ECS Packetbeat fields in root to their correct ECS fields.
+This will rename fields that are moved so the fields will not be present
+at the root of the document and so any rules that depend on the fields
+will need to be updated.
+
+The legacy behaviour of this option is to not remap to ECS. This behaviour
+is still the default, but is deprecated and users are encouraged to set
+this option to true.
+
+ECS remapping may have an impact on workflows that depend on the identity
+of non-ECS fields, and users should assess their use of these fields before
+making the change. Users who need to retain data collected with the legacy
+mappings may need to re-index their older documents. Instructions for doing
+this are available [here](https://www.elastic.co/guide/en/elasticsearch/reference/current/docs-reindex.html).
+The pipeline used to perform ECS remapping for each data stream can be found
+in `Stack Management`›`Ingest Pipelines` and and searching for
+"logs-network_traffic compatibility".
+
+The deprecation and retirement timeline for legacy behavior is available
+[here](https://github.com/elastic/integrations/issues/8185).
+
 #### `enabled`
 
 The enabled setting is a boolean setting to enable or disable protocols

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.30.0"
+  changes:
+    - description: Publish deprecation notice for legacy behavior of `map_to_ecs`.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/9031
 - version: "1.29.1"
   changes:
     - description: Changed owners

@@ -124,7 +124,10 @@ streams:
           This will rename fields that are moved so the fields will not be present
           at the root of the document and so any rules that depend on the fields
           will need to be updated.
-        show_user: false
+
+          The legacy behaviour of this option is deprecated and users are encouraged
+          to set this option to true. See details in the [package overview describing `map_to_ecs`](../../../integrations/detail/network_traffic/overview).
+        show_user: true
         multi: false
         required: false
     title: AMQP

@@ -111,7 +111,10 @@ streams:
           This will rename fields that are moved so the fields will not be present
           at the root of the document and so any rules that depend on the fields
           will need to be updated.
-        show_user: false
+
+          The legacy behaviour of this option is deprecated and users are encouraged
+          to set this option to true. See details in the [package overview describing `map_to_ecs`](../../../integrations/detail/network_traffic/overview).
+        show_user: true
         multi: false
         required: false
     title: Cassandra

@@ -59,7 +59,10 @@ streams:
           This will rename fields that are moved so the fields will not be present
           at the root of the document and so any rules that depend on the fields
           will need to be updated.
-        show_user: false
+
+          The legacy behaviour of this option is deprecated and users are encouraged
+          to set this option to true. See details in the [package overview describing `map_to_ecs`](../../../integrations/detail/network_traffic/overview).
+        show_user: true
         multi: false
         required: false
     title: DHCP

@@ -114,7 +114,10 @@ streams:
           This will rename fields that are moved so the fields will not be present
           at the root of the document and so any rules that depend on the fields
           will need to be updated.
-        show_user: false
+
+          The legacy behaviour of this option is deprecated and users are encouraged
+          to set this option to true. See details in the [package overview describing `map_to_ecs`](../../../integrations/detail/network_traffic/overview).
+        show_user: true
         multi: false
         required: false
     title: DNS

@@ -59,6 +59,9 @@ streams:
           This will rename fields that are moved so the fields will not be present
           at the root of the document and so any rules that depend on the fields
           will need to be updated.
-        show_user: false
+
+          The legacy behaviour of this option is deprecated and users are encouraged
+          to set this option to true. See details in the [package overview describing `map_to_ecs`](../../../integrations/detail/network_traffic/overview).
+        show_user: true
         multi: false
         required: false
@@ -184,7 +184,10 @@ streams:
           This will rename fields that are moved so the fields will not be present
           at the root of the document and so any rules that depend on the fields
           will need to be updated.
-        show_user: false
+
+          The legacy behaviour of this option is deprecated and users are encouraged
+          to set this option to true. See details in the [package overview describing `map_to_ecs`](../../../integrations/detail/network_traffic/overview).
+        show_user: true
         multi: false
         required: false
     title: HTTP

@@ -52,6 +52,9 @@ streams:
           This will rename fields that are moved so the fields will not be present
           at the root of the document and so any rules that depend on the fields
           will need to be updated.
-        show_user: false
+
+          The legacy behaviour of this option is deprecated and users are encouraged
+          to set this option to true. See details in the [package overview describing `map_to_ecs`](../../../integrations/detail/network_traffic/overview).
+        show_user: true
         multi: false
         required: false
@@ -135,7 +135,10 @@ streams:
           This will rename fields that are moved so the fields will not be present
           at the root of the document and so any rules that depend on the fields
           will need to be updated.
-        show_user: false
+
+          The legacy behaviour of this option is deprecated and users are encouraged
+          to set this option to true. See details in the [package overview describing `map_to_ecs`](../../../integrations/detail/network_traffic/overview).
+        show_user: true
         multi: false
         required: false
     title: Memcached

@@ -105,7 +105,10 @@ streams:
           This will rename fields that are moved so the fields will not be present
           at the root of the document and so any rules that depend on the fields
           will need to be updated.
-        show_user: false
+
+          The legacy behaviour of this option is deprecated and users are encouraged
+          to set this option to true. See details in the [package overview describing `map_to_ecs`](../../../integrations/detail/network_traffic/overview).
+        show_user: true
         multi: false
         required: false
     title: MongoDB

@@ -86,7 +86,10 @@ streams:
           This will rename fields that are moved so the fields will not be present
           at the root of the document and so any rules that depend on the fields
           will need to be updated.
-        show_user: false
+
+          The legacy behaviour of this option is deprecated and users are encouraged
+          to set this option to true. See details in the [package overview describing `map_to_ecs`](../../../integrations/detail/network_traffic/overview).
+        show_user: true
         multi: false
         required: false
     title: MySQL

@@ -86,7 +86,10 @@ streams:
           This will rename fields that are moved so the fields will not be present
           at the root of the document and so any rules that depend on the fields
           will need to be updated.
-        show_user: false
+
+          The legacy behaviour of this option is deprecated and users are encouraged
+          to set this option to true. See details in the [package overview describing `map_to_ecs`](../../../integrations/detail/network_traffic/overview).
+        show_user: true
         multi: false
         required: false
     title: NFS

@@ -86,7 +86,10 @@ streams:
           This will rename fields that are moved so the fields will not be present
           at the root of the document and so any rules that depend on the fields
           will need to be updated.
-        show_user: false
+
+          The legacy behaviour of this option is deprecated and users are encouraged
+          to set this option to true. See details in the [package overview describing `map_to_ecs`](../../../integrations/detail/network_traffic/overview).
+        show_user: true
         multi: false
         required: false
     title: PostgreSQL

@@ -105,7 +105,10 @@ streams:
           This will rename fields that are moved so the fields will not be present
           at the root of the document and so any rules that depend on the fields
           will need to be updated.
-        show_user: false
+
+          The legacy behaviour of this option is deprecated and users are encouraged
+          to set this option to true. See details in the [package overview describing `map_to_ecs`](../../../integrations/detail/network_traffic/overview).
+        show_user: true
         multi: false
         required: false
     title: Redis

@@ -80,7 +80,10 @@ streams:
           This will rename fields that are moved so the fields will not be present
           at the root of the document and so any rules that depend on the fields
           will need to be updated.
-        show_user: false
+
+          The legacy behaviour of this option is deprecated and users are encouraged
+          to set this option to true. See details in the [package overview describing `map_to_ecs`](../../../integrations/detail/network_traffic/overview).
+        show_user: true
         multi: false
         required: false
     title: SIP

@@ -160,7 +160,10 @@ streams:
           This will rename fields that are moved so the fields will not be present
           at the root of the document and so any rules that depend on the fields
           will need to be updated.
-        show_user: false
+
+          The legacy behaviour of this option is deprecated and users are encouraged
+          to set this option to true. See details in the [package overview describing `map_to_ecs`](../../../integrations/detail/network_traffic/overview).
+        show_user: true
         multi: false
         required: false
     title: Thrift

@@ -86,7 +86,10 @@ streams:
           This will rename fields that are moved so the fields will not be present
           at the root of the document and so any rules that depend on the fields
           will need to be updated.
-        show_user: false
+
+          The legacy behaviour of this option is deprecated and users are encouraged
+          to set this option to true. See details in the [package overview describing `map_to_ecs`](../../../integrations/detail/network_traffic/overview).
+        show_user: true
         multi: false
         required: false
     title: TLS

@@ -33,6 +33,29 @@ Currently, Network Packet Capture supports the following protocols:
 
 The following options are available for all protocols:
 
+#### `map_to_ecs`
+
+Remap any non-ECS Packetbeat fields in root to their correct ECS fields.
+This will rename fields that are moved so the fields will not be present
+at the root of the document and so any rules that depend on the fields
+will need to be updated.
+
+The legacy behaviour of this option is to not remap to ECS. This behaviour
+is still the default, but is deprecated and users are encouraged to set
+this option to true.
+
+ECS remapping may have an impact on workflows that depend on the identity
+of non-ECS fields, and users should assess their use of these fields before
+making the change. Users who need to retain data collected with the legacy
+mappings may need to re-index their older documents. Instructions for doing
+this are available [here](https://www.elastic.co/guide/en/elasticsearch/reference/current/docs-reindex.html).
+The pipeline used to perform ECS remapping for each data stream can be found
+in `Stack Management`›`Ingest Pipelines` and and searching for
+"logs-network_traffic compatibility".
+
+The deprecation and retirement timeline for legacy behavior is available
+[here](https://github.com/elastic/integrations/issues/8185).
+
 #### `enabled`
 
 The enabled setting is a boolean setting to enable or disable protocols

@@ -1,7 +1,7 @@
 format_version: "3.0.0"
 name: network_traffic
 title: Network Packet Capture
-version: "1.29.1"
+version: "1.30.0"
 description: Capture and analyze network traffic from a host with Elastic Agent.
 type: integration
 categories: