From 56850316feb6847615b6de7cea1a28b89dbf2211 Mon Sep 17 00:00:00 2001 From: Agi K Thomas Date: Tue, 9 Jul 2024 02:56:16 +0000 Subject: [PATCH] Added codeowners entry, added processor in manifest, fixed ecs mappings, regenerated sample_events --- .github/CODEOWNERS | 1 + .../awshealth/agent/stream/stream.yml.hbs | 4 + .../aws/data_stream/awshealth/fields/ecs.yml | 4 - .../data_stream/awshealth/fields/fields.yml | 76 ++++++++++--------- .../aws/data_stream/awshealth/manifest.yml | 8 ++ .../data_stream/awshealth/sample_event.json | 9 +-- packages/aws/docs/awshealth.md | 30 ++++---- 7 files changed, 68 insertions(+), 64 deletions(-) diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index d91fe5300a4..226ca03e7be 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -27,6 +27,7 @@ /packages/aws/changelog.yml @elastic/obs-ds-hosted-services @elastic/security-service-integrations @elastic/obs-infraobs-integrations /packages/aws/data_stream/apigateway_logs @elastic/obs-infraobs-integrations /packages/aws/data_stream/apigateway_metrics @elastic/obs-infraobs-integrations +/packages/aws/data_stream/awshealth @elastic/obs-infraobs-integrations /packages/aws/data_stream/billing @elastic/obs-infraobs-integrations /packages/aws/data_stream/cloudfront_logs @elastic/obs-infraobs-integrations /packages/aws/data_stream/cloudtrail @elastic/obs-infraobs-integrations diff --git a/packages/aws/data_stream/awshealth/agent/stream/stream.yml.hbs b/packages/aws/data_stream/awshealth/agent/stream/stream.yml.hbs index 97702ba04c1..eab4eb50499 100644 --- a/packages/aws/data_stream/awshealth/agent/stream/stream.yml.hbs +++ b/packages/aws/data_stream/awshealth/agent/stream/stream.yml.hbs @@ -9,3 +9,7 @@ secret_access_key: {{secret_access_key}} {{#if session_token}} session_token: {{session_token}} {{/if}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/aws/data_stream/awshealth/fields/ecs.yml b/packages/aws/data_stream/awshealth/fields/ecs.yml index 9a699dcc2b9..303e169c534 100644 --- a/packages/aws/data_stream/awshealth/fields/ecs.yml +++ b/packages/aws/data_stream/awshealth/fields/ecs.yml @@ -7,7 +7,3 @@ - name: agent.id external: ecs dimension: true -- external: ecs - name: service.type -- external: ecs - name: ecs.version diff --git a/packages/aws/data_stream/awshealth/fields/fields.yml b/packages/aws/data_stream/awshealth/fields/fields.yml index 121b7e05b6f..14795aa42c6 100644 --- a/packages/aws/data_stream/awshealth/fields/fields.yml +++ b/packages/aws/data_stream/awshealth/fields/fields.yml @@ -5,7 +5,6 @@ type: group description: > AWS Health metrics - fields: - name: affected_entities_others type: float @@ -34,20 +33,22 @@ type: keyword dimension: true description: > - The unique identifier for the event. The event ARN has the format arn:aws:health:event-region::event/SERVICE/EVENT_TYPE_CODE/EVENT_TYPE_PLUS_ID. + The unique identifier for the event. The event ARN has the format `arn:aws:health:::event///`. For example, `arn:aws:health:us-east-1::event/EC2/EC2_INSTANCE_RETIREMENT_SCHEDULED/EC2_INSTANCE_RETIREMENT_SCHEDULED_ABC123-DEF456` - name: event_scope_code type: keyword - description: "This parameter specifies whether the Health event is a public Amazon Web Service event or an account-specific event. Allowed values are PUBLIC, ACCOUNT_SPECIFIC, or NONE. \n" + description: > + This parameter specifies whether the Health event is a public Amazon Web Service event or an account-specific event. Allowed values are `PUBLIC`, `ACCOUNT_SPECIFIC`, or `NONE`." + - name: event_type_category type: keyword description: > - The event type category code. Possible values are issue, accountNotification, or scheduledChange. + The event type category code. Possible values are `issue`, `accountNotification`, `investigation` or `scheduledChange`. - name: event_type_code type: keyword description: > - The unique identifier for the event type. The format is AWS_SERVICE_DESCRIPTION. + The unique identifier for the event type. The format is `AWS_`. For example, `AWS_EC2_SYSTEM_MAINTENANCE_EVENT`. - name: last_updated_time type: date @@ -72,7 +73,7 @@ - name: status_code type: keyword description: > - The most recent status of the event. Possible values are open, closed, and upcoming. + The most recent status of the event. Possible values are `open`, `closed`, and `upcoming`. - name: event_description type: text @@ -80,37 +81,38 @@ The detailed description of the event. - name: affected_entities - type: group + type: object + object_type: keyword + object_type_mapping_type: "*" description: > Details of the affected entities related to the event. - fields: - - name: aws_account_id - type: keyword - description: > - The Amazon Web Services account number that contains the affected entity. - - - name: entity_url - type: keyword - description: > - The URL of the affected entity. - - - name: entity_value - type: keyword - description: > - The IDs of the affected entities. - - - name: affected_entities.last_updated_time - type: date - description: > - The last updated time of entities. - - - name: status_code - type: keyword - description: > - The most recent status of affected entities. Possible values are open, closed, and upcoming. - - - name: entity_arn - type: keyword - description: >- - The unique identifier for the affected entities. The entity ARN has the format: arn:aws:health:entity-region:aws-account:entity/entity-id. + - name: affected_entities.aws_account_id + type: keyword + description: > + The Amazon Web Services account number that contains the affected entity. + + - name: affected_entities.entity_url + type: keyword + description: > + The URL of the affected entity. + + - name: affected_entities.entity_value + type: keyword + description: > + The ID of the affected entity. + + - name: affected_entities.last_updated_time + type: date + description: > + The last updated time of entity. + + - name: affected_entities.status_code + type: keyword + description: > + The most recent status of the entity affected by the event. The possible values include `IMPAIRED`, `UNIMPAIRED`, `UNKNOWN`, `PENDING`, `RESOLVED`. + + - name: affected_entities.entity_arn + type: keyword + description: > + The unique identifier for the affected entities. The entity ARN has the format: `arn:aws:health:::entity/`. For example, `arn:aws:health:us-east-1:111222333444:entity/AVh5GGT7ul1arKr1sE1K`. diff --git a/packages/aws/data_stream/awshealth/manifest.yml b/packages/aws/data_stream/awshealth/manifest.yml index cc941905bbd..b17cc5ebd11 100644 --- a/packages/aws/data_stream/awshealth/manifest.yml +++ b/packages/aws/data_stream/awshealth/manifest.yml @@ -39,5 +39,13 @@ streams: show_user: false default: true description: When include_linked_accounts is set to true, CloudWatch metrics will be collected from both linked accounts and the monitoring account. Default is true. + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the events are shipped. See [Processors](https://www.elastic.co/guide/en/fleet/current/elastic-agent-processor-configuration.html) for details. title: AWS Health metrics description: Collect AWS Health metrics diff --git a/packages/aws/data_stream/awshealth/sample_event.json b/packages/aws/data_stream/awshealth/sample_event.json index a80a85b48cd..e74dfc1d0ad 100644 --- a/packages/aws/data_stream/awshealth/sample_event.json +++ b/packages/aws/data_stream/awshealth/sample_event.json @@ -15,24 +15,21 @@ "entity_arn": "arn:aws:health:us-west-2:00000000000:entity/g1boW0WfWEdh7qa18fGj5UZaAEFeA_2Ol3YtjyQ1IWcI4=1g", "entity_url": "", "entity_value": "arn:aws:ecs:us-west-2:00000000000:cluster/EC2BasedCluster", - "last_updated_time": "2024-06-07T01:53:31.728Z", - "status_code": "" + "last_updated_time": "2024-06-07T01:53:31.728Z" }, { "aws_account_id": "00000000000", "entity_arn": "arn:aws:health:us-west-2:00000000000:entity/g1ct5TryWpLSufg8DM-B5Wp_lAicG_0BlW9Zuh1m2YZrg=1g", "entity_url": "", "entity_value": "arn:aws:ecs:us-west-2:00000000000:cluster/DEMOGO-ECS", - "last_updated_time": "2024-06-07T01:53:31.728Z", - "status_code": "" + "last_updated_time": "2024-06-07T01:53:31.728Z" }, { "aws_account_id": "00000000000", "entity_arn": "arn:aws:health:us-west-2:00000000000:entity/g1mkYYnoO_cHYLqqY-p5H5owH5HTnTTu3ZmqnieDfbf_o=1g", "entity_url": "", "entity_value": "arn:aws:ecs:us-west-2:00000000000:cluster/elasticAgentCluster", - "last_updated_time": "2024-06-07T01:53:31.728Z", - "status_code": "" + "last_updated_time": "2024-06-07T01:53:31.728Z" } ], "affected_entities_others": 0, diff --git a/packages/aws/docs/awshealth.md b/packages/aws/docs/awshealth.md index 583f0f99673..ad83b5d5737 100644 --- a/packages/aws/docs/awshealth.md +++ b/packages/aws/docs/awshealth.md @@ -69,24 +69,21 @@ An example event for `awshealth` looks as following: "entity_arn": "arn:aws:health:us-west-2:00000000000:entity/g1boW0WfWEdh7qa18fGj5UZaAEFeA_2Ol3YtjyQ1IWcI4=1g", "entity_url": "", "entity_value": "arn:aws:ecs:us-west-2:00000000000:cluster/EC2BasedCluster", - "last_updated_time": "2024-06-07T01:53:31.728Z", - "status_code": "" + "last_updated_time": "2024-06-07T01:53:31.728Z" }, { "aws_account_id": "00000000000", "entity_arn": "arn:aws:health:us-west-2:00000000000:entity/g1ct5TryWpLSufg8DM-B5Wp_lAicG_0BlW9Zuh1m2YZrg=1g", "entity_url": "", "entity_value": "arn:aws:ecs:us-west-2:00000000000:cluster/DEMOGO-ECS", - "last_updated_time": "2024-06-07T01:53:31.728Z", - "status_code": "" + "last_updated_time": "2024-06-07T01:53:31.728Z" }, { "aws_account_id": "00000000000", "entity_arn": "arn:aws:health:us-west-2:00000000000:entity/g1mkYYnoO_cHYLqqY-p5H5owH5HTnTTu3ZmqnieDfbf_o=1g", "entity_url": "", "entity_value": "arn:aws:ecs:us-west-2:00000000000:cluster/elasticAgentCluster", - "last_updated_time": "2024-06-07T01:53:31.728Z", - "status_code": "" + "last_updated_time": "2024-06-07T01:53:31.728Z" } ], "affected_entities_others": 0, @@ -238,26 +235,27 @@ An example event for `awshealth` looks as following: |---|---|---|---| | @timestamp | Event timestamp. | date | | | agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | | -| aws.awshealth.affected_entities.affected_entities.last_updated_time | The last updated time of entities. | date | | +| aws.awshealth.affected_entities | Details of the affected entities related to the event. | object | | | aws.awshealth.affected_entities.aws_account_id | The Amazon Web Services account number that contains the affected entity. | keyword | | -| aws.awshealth.affected_entities.entity_arn | The unique identifier for the affected entities. The entity ARN has the format: arn:aws:health:entity-region:aws-account:entity/entity-id. | keyword | | +| aws.awshealth.affected_entities.entity_arn | The unique identifier for the affected entities. The entity ARN has the format: `arn:aws:health:\:\:entity/\`. For example, `arn:aws:health:us-east-1:111222333444:entity/AVh5GGT7ul1arKr1sE1K`. | keyword | | | aws.awshealth.affected_entities.entity_url | The URL of the affected entity. | keyword | | -| aws.awshealth.affected_entities.entity_value | The IDs of the affected entities. | keyword | | -| aws.awshealth.affected_entities.status_code | The most recent status of affected entities. Possible values are open, closed, and upcoming. | keyword | | +| aws.awshealth.affected_entities.entity_value | The ID of the affected entity. | keyword | | +| aws.awshealth.affected_entities.last_updated_time | The last updated time of entity. | date | | +| aws.awshealth.affected_entities.status_code | The most recent status of the entity affected by the event. The possible values include `IMPAIRED`, `UNIMPAIRED`, `UNKNOWN`, `PENDING`, `RESOLVED`. | keyword | | | aws.awshealth.affected_entities_others | The number of affected resources related to the event whose status cannot be verified. | float | gauge | | aws.awshealth.affected_entities_pending | The number of affected resources that may require action. | float | gauge | | aws.awshealth.affected_entities_resolved | The number of affected resources that do not require any action. | float | gauge | | aws.awshealth.end_time | The date and time when the event ended. Some events may not have an end date. | date | | -| aws.awshealth.event_arn | The unique identifier for the event. The event ARN has the format arn:aws:health:event-region::event/SERVICE/EVENT_TYPE_CODE/EVENT_TYPE_PLUS_ID. | keyword | | +| aws.awshealth.event_arn | The unique identifier for the event. The event ARN has the format `arn:aws:health:\::event/\/\/\`. For example, `arn:aws:health:us-east-1::event/EC2/EC2_INSTANCE_RETIREMENT_SCHEDULED/EC2_INSTANCE_RETIREMENT_SCHEDULED_ABC123-DEF456` | keyword | | | aws.awshealth.event_description | The detailed description of the event. | text | | -| aws.awshealth.event_scope_code | This parameter specifies whether the Health event is a public Amazon Web Service event or an account-specific event. Allowed values are PUBLIC, ACCOUNT_SPECIFIC, or NONE. | keyword | | -| aws.awshealth.event_type_category | The event type category code. Possible values are issue, accountNotification, or scheduledChange. | keyword | | -| aws.awshealth.event_type_code | The unique identifier for the event type. The format is AWS_SERVICE_DESCRIPTION. | keyword | | +| aws.awshealth.event_scope_code | This parameter specifies whether the Health event is a public Amazon Web Service event or an account-specific event. Allowed values are `PUBLIC`, `ACCOUNT_SPECIFIC`, or `NONE`." | keyword | | +| aws.awshealth.event_type_category | The event type category code. Possible values are `issue`, `accountNotification`, `investigation` or `scheduledChange`. | keyword | | +| aws.awshealth.event_type_code | The unique identifier for the event type. The format is `AWS_\`. For example, `AWS_EC2_SYSTEM_MAINTENANCE_EVENT`. | keyword | | | aws.awshealth.last_updated_time | The most recent date and time when the event was updated. | date | | | aws.awshealth.region | The Amazon Web Services Region name of the event. | keyword | | | aws.awshealth.service | The Amazon Web Service affected by the event. For example, EC2 or RDS. | keyword | | | aws.awshealth.start_time | The date and time when the event began. | date | | -| aws.awshealth.status_code | The most recent status of the event. Possible values are open, closed, and upcoming. | keyword | | +| aws.awshealth.status_code | The most recent status of the event. Possible values are `open`, `closed`, and `upcoming`. | keyword | | | aws.linked_account.id | ID used to identify linked account. | keyword | | | aws.linked_account.name | Name or alias used to identify linked account. | keyword | | | aws.tags | Tag key value pairs from aws resources. | flattened | | @@ -266,5 +264,3 @@ An example event for `awshealth` looks as following: | data_stream.dataset | Data stream dataset. | constant_keyword | | | data_stream.namespace | Data stream namespace. | constant_keyword | | | data_stream.type | Data stream type. | constant_keyword | | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | |