[Network Traffic] Missing ECS Field Mappings #7273
Conversation
MakoWish
force-pushed
the
network_traffic_missing_fields
branch
from
a958643 to
e98e5d9
Compare
💚 Build Succeeded
Expand to view the summary
Build stats
Test stats 🧪
🤖 GitHub commentsExpand to view the GitHub comments
To re-run your PR in the CI, just comment with:
|
|
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
|
/test |
🌐 Coverage report
|
…akoWish/integrations into network_traffic_missing_fields
|
/test |
…akoWish/integrations into network_traffic_missing_fields
|
/test |
|
I don't have permissions to merge. Can someone do it, please? |
|
Please hold off on merging this subject to internal discussion. |
|
Okay, so just so I am clear on what needs to be done, and what this would actually accomplish... In the package's If so, I have been begging for this for quite some time now (see elasticsearch/issues/91370). |
|
The change should be just diff --git a/packages/network_traffic/_dev/build/build.yml b/packages/network_traffic/_dev/build/build.yml
index c8eeec8ca..c1af686e5 100755
--- a/packages/network_traffic/_dev/build/build.yml
+++ b/packages/network_traffic/_dev/build/build.yml
@@ -1,3 +1,4 @@
dependencies:
ecs:
reference: [email protected]
+ import_mappings: trueI think the problem might be being misunderstood at that issue; the solution here is part of agent, rather than elasticsearch, so that may be the root of the misunderstanding. Also, |
|
Okay, so simply adding a file Will enforce all ECS mappings? Yes, I also think they are misunderstanding the other issue. I have also brought this up with support, and our CSM, but so far getting zero traction from any angle. If the above will enforce all ECS field mappings, that would be the solution I have been waiting for. The key problem is that whoever creates an Integration may miss some mappings for fields that were not covered in test events, and it also doesn't take into account further ECS parsing the customer may do like we are with |
|
@MakoWish Just to clear up a few things about this feature, so that everyone is on the same page. A few releases ago, I created a dynamic template, that matches all the ECS fields available at that date, a dynamic template does not enforce field types, but when a field appears for the first time, and does not have any existing mapping, elasticsearch will try to auto-detect the type. Here is the template that is used: Now This was never meant to be the long term fix however, as enhancements to Elasticsearch dynamic templates was added a few versions ago, allowing rules to have arrays of fields, significantly decreasing the size of a template, and the more official ECS dynamic template is now bundled with the upcoming Elasticsearch binary, meaning that a ECS dynamic template component template is installed by default in future releases. There is still some work to be done to allow integrations to use that new dynamic template component template rather than this local static version, but the move should not create any issues for users. The more permanent solutions also allows users that do not use integrations, to simply use that new component template in their own datastream index templates. So this change is good for now, but its important to know the history about it, which is why it was not documented initially as well, in wait for the more permanent scenario. |
|
Okay, so are we willing to try this out on a GA integration? I am all for it, but before I remove |
Until we have a solution for populating the |
|
Was going to push the change, but I see you already did it. |
Type of change
What does this PR do?
This PR adds missing network-related ECS fields to prevent field mapping conflicts in the
logs-*Data View.Checklist
changelog.ymlfile.manifest.ymlfile.Related issues
Screenshots