Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make sure that main ECS fields are mapped in the Elastic Agent integration #8252

Open
rdner opened this issue Oct 19, 2023 · 4 comments
Open

Make sure that main ECS fields are mapped in the Elastic Agent integration #8252

rdner opened this issue Oct 19, 2023 · 4 comments
Labels
bug Something isn't working, use only for issues Integration:elastic_agent Elastic Agent Team:Elastic-Agent-Data-Plane Label for the Agent Data Plane team [elastic/elastic-agent-data-plane]

Comments

@rdner
Copy link
Member

rdner commented Oct 19, 2023
edited
Loading

Recently we had a report that log.file.path is not mapped in events created in the Elastic-Agent integration (dataset: elastic_agent.endpoint_security-external).

Another report that error.message is not mapped in logs-elastic_agent.filebeat-syslog either.

All the logs-*-* data streams including logs-elastic_agent.endpoint_security-external are created from this logs-template.json

which is composed of these component templates:

The last 2 were added ~4 months ago in this PR (should have been released with 8.9.x) elastic/elasticsearch#96171

Which means the log.file.path field should be mapped via this dynamic mapping:

https://github.com/elastic/elasticsearch/blob/48fcb2e7d4651b95a8e22612e2ec001ad4c4bdc4/x-pack/plugin/core/template-resources/src/main/resources/ecs-dynamic-mappings.json#L100

However, I see that dynamic mappings are disabled in the integration:

integrations/packages/elastic_agent/data_stream/endpoint_sercurity_logs/manifest.yml

Line 7 in ffe9c35

dynamic: false

It seems we have two options (both need to be tested):

  1. Set dynamic to true here

    integrations/packages/elastic_agent/data_stream/endpoint_sercurity_logs/manifest.yml

    Line 7 in ffe9c35

    dynamic: false
  2. Add a limited list of most important fields (e.g. log.file.path) here https://github.com/elastic/integrations/blob/ffe9c35004696815c24fdb89aa86778d2ea67885/packages/elastic_agent/data_stream/endpoint_sercurity_logs/fields/ecs.yml

(1) might have big impact and lead to performance issues, see #1298 (comment)

(2) is fixing the currently reported symptom instead of the root cause and we might receive more reports in the future.
@rdner rdner added bug Something isn't working, use only for issues Team:Elastic-Agent-Data-Plane Label for the Agent Data Plane team [elastic/elastic-agent-data-plane] labels Oct 19, 2023
@elasticmachine
Copy link

Pinging @elastic/elastic-agent-data-plane (Team:Elastic-Agent-Data-Plane)

@cmacknz
Copy link
Member

cmacknz commented Oct 19, 2023

I vote for option 2 unless we believe option 1 is totally risk free. We don't seem to get a lot of requests for new fields, so I hesitate to do something that may cause performance problems whenever the elastic_agent integration is used (which is a lot).

@rdner
Copy link
Member Author

rdner commented Oct 20, 2023
edited
Loading

We've got another report that error.message is not mapped either.

Mapped only in the fleet server logs

integrations/packages/elastic_agent/data_stream/fleet_server_logs/fields/ecs.yml

Line 17 in 399ac66

- name: error.message

@tammytorbert
Copy link

Another field not mapped - host.os.type. Mapping appears to be missing from component template - logs-elastic_agent.filebeat@package

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working, use only for issues Integration:elastic_agent Elastic Agent Team:Elastic-Agent-Data-Plane Label for the Agent Data Plane team [elastic/elastic-agent-data-plane]
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@rdner @cmacknz @andrewkroh @elasticmachine @tammytorbert