github elastic/ecs v8.0.0
ECS 8.0.0
on GitHub

latest releases: v8.11.0, v8.10.0, v8.9.0...
2 years ago

What's new in ECS 8.0

We're pleased to announce ECS 8.0.

Thank you to all the ECS contributors who help support the broader Elastic community.

Versioning: 1.x -> 8.0

ECS versioning now aligns with the Elastic platform beginning with 8.0.

ECS didn't follow the same release cadence as the Elastic platform when first introduced. Over time this approach added complexity for our users. For example, users might find themselves asking, "which Elastic version maps to ECS 1.6.0?". By aligning, it's clear what version of ECS maps to which Elastic platform version.

Power in simplicity. 😃

Removed fields

The following fields are removed in ECS 8.0:

Field Migrate to* Reference
log.original event.original RFC 0017
process.ppid process.parent.pid RFC 0022
host.user.* reuse user.* reuses user.* field set usage

*Field aliases can help transition existing searches or visualizations depending on these removed fields.

New field data types

ECS 1.x introduced wildcard and match_only_text as beta field types. As of ECS 8.0, these data types are now GA.

The field types selected for ECS provide the best default experience for most users. However, some users may see interoperable data types better fitting for their use cases, and they can read more about options here.

Tooling changes

Elasticsearch generated artifacts

In 1.x, the project maintained sample index templates for two versions of Elasticsearch (6.x, 7.x). In 8.0, ECS now produces two sample template types: composable and legacy.

In composable, each ECS field set has a component template. An example component template, template.json, references each field set component template. These artifacts work with the new index templates introduced in Elasticsearch 7.8.

The legacy template will continue working with the legacy index template API.

Removed features

  • Removed the already deprecated --oss flag
  • Removed Go code generator to simplify the project's tooling and CI/CD pipeline.

Changelog

Schema Changes

Breaking changes

  • Remove host.user.* field reuse. #1439
  • Remove deprecation notice on http.request.method. #1443
  • Migrate log.origin.file.line from integer to long. #1533
  • Remove log.original field. #1580
  • Remove process.ppid field. #1596

Added

Improvements

  • Wildcard type field migration GA. #1582
  • match_only_text type field migration GA. #1584
  • Threat indicator fields GA from RFC 0008. #1586

Tooling and Artifact Changes

Breaking Changes

  • Removing deprecated --oss from generator #1404
  • Removing use-cases directory #1405
  • Remove Go code generator. #1567
  • Remove template generation for ES6. #1680
  • Update folder structure for generated ES artifacts. #1700, #1762
  • Updated support for overridable composable settings template. #1737

Improvements

  • Align input options for --include and --subset arguments #1519
  • Remove remaining Go deps after removing Go code generator. #1585
  • Add explicit default_field: true for Beats artifacts. #1633
  • Reorganize docs directory structure. #1679
  • Added support for analyzer definitions for text fields. #1737

Bugfixes

  • Fixed the default_field flag for root fields in Beats generator. #1711
Check out latest releases or
releases around elastic/ecs v8.0.0

Don't miss a new ecs release

NewReleases is sending notifications on new releases.

Get notifications