Skip to content

Libbeat: Do not overwrite agent.*, ecs.version, and host.name#14407

Merged
cwurm merged 3 commits intoelastic:masterfrom
cwurm:libbeat_do_not_overwrite
Dec 2, 2019
Merged

Libbeat: Do not overwrite agent.*, ecs.version, and host.name#14407
cwurm merged 3 commits intoelastic:masterfrom
cwurm:libbeat_do_not_overwrite

Conversation

@cwurm
Copy link
Copy Markdown
Contributor

@cwurm cwurm commented Nov 7, 2019
edited
Loading

Addresses part of #13920 (comment).

Libbeat currently sets a few fields in every event, with no option to turn it off, or to at least not overwrite existing values.

This is a problem when receiving forwarded events (see #13920 for details). The field I'm most concerned about is host.name which is used by the Kibana SIEM app to identify hosts. This PR changes Libbeat to not overwrite host.name and a few other fields when they are already set (see list of fields below). This is technically a breaking change, though I think in almost all cases the current behavior is not what users would expect, and it is creating problems in the wild (eg #13706, discuss #1, discuss #2) - so I would like to make it in 7.x.

A bit more detail on the implementation: Adds a new function MapStr. DeepUpdateNoOverwrite alongside the existing MapStr.DeepUpdate and an overwrite parameter to the add_fields processor (but does not expose it).

The affected fields that will no longer be overwritten if they already exist are:

  1. agent.ephemeral_id
  2. agent.hostname
  3. agent.id
  4. agent.type
  5. agent.version
  6. ecs.version
  7. host.name

If we do not want to change the behavior for all these fields we could also refactor the code to only not overwrite host.name - but I think it makes sense to not overwrite any of these fields.

@cwurm cwurm requested review from andrewkroh and urso November 7, 2019 15:04
@cwurm cwurm requested review from a team as code owners November 8, 2019 00:39
@cwurm cwurm requested review from a team and removed request for a team November 8, 2019 00:39
@cwurm cwurm force-pushed the libbeat_do_not_overwrite branch from 8cdbef3 to 5f6390b Compare November 8, 2019 00:51
kvch
kvch reviewed Nov 12, 2019
View reviewed changes
Copy link
Copy Markdown
Contributor

@kvch kvch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have a suggestion to eliminate the cryptic true or false as a parameter to DeepUpdate and keep the API of MapStr a "cleaner". This alternative implementation would also reduce the changes required in the codebase.

// add a new private function which handles updating values
// and makes a decision regarding overwriting values
func (m MapStr) deepUpdateMap(d MapStr, overwrite bool) {
    // body of the current DeepUpdate
}

func (m MapStr) DeepUpdate(d MapStr) {
    m.deepUpdateMap(d, true)
}

func (m MapStr) DeepUpdateWithoutOverwrite(d MapStr) {
    m.deepUpdateMap(d, false)
}

@urso
Copy link
Copy Markdown

urso commented Nov 12, 2019

+1 on not introducing booleans as arguments to select behavior in public APIs.

If we want to introduce some indicator in the public API it should be an enum so it is clear what will happen at the call side e.g. DeepUpdate(m, common.NoOverwrite). Given DeepUpdate is a quite commonly used API (potentially by community beats) I'd prefer to keep it stable => new function/method. Alternative name to DeepUpdateWithoutOverwrite might be DeepUpdateNoOverwrites.

leehinman added a commit that referenced this pull request Nov 20, 2019
@leehinman
[Winlogbeat] Set host.name to computername (#14625)
da6dd9d 
* Set host.name to computername

 - set host.name to computer name for windows events and sysmon
 - Add info about libbeat #14407 dependency

Fixes #13706
leehinman added a commit to leehinman/beats that referenced this pull request Nov 21, 2019
@leehinman
[Winlogbeat] Set host.name to computername (elastic#14625)
e63f714 
* Set host.name to computername

 - set host.name to computer name for windows events and sysmon
 - Add info about libbeat elastic#14407 dependency

Fixes elastic#13706

(cherry picked from commit da6dd9d)
leehinman added a commit that referenced this pull request Nov 21, 2019
@leehinman
[Winlogbeat] Set host.name to computername (#14625) (#14688)
3b9257a 
* Set host.name to computername

 - set host.name to computer name for windows events and sysmon
 - Add info about libbeat #14407 dependency

Fixes #13706

(cherry picked from commit da6dd9d)
@cwurm cwurm force-pushed the libbeat_do_not_overwrite branch from 5f6390b to 7ddc18a Compare November 25, 2019 13:43
houndci-bot
houndci-bot reviewed Nov 25, 2019
View reviewed changes
@cwurm
Copy link
Copy Markdown
Contributor Author

cwurm commented Nov 25, 2019

@kvch @urso Makes sense, I've changed to a new DeepUpdateNoOverwrite function. Let me know if that works.

kvch
kvch reviewed Nov 26, 2019
View reviewed changes
Copy link
Copy Markdown
Contributor

@kvch kvch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Please update the section in the PR description about DeepUpdate.

@cwurm cwurm force-pushed the libbeat_do_not_overwrite branch from 3dc70ab to 55da2f0 Compare November 26, 2019 12:53
@cwurm
Copy link
Copy Markdown
Contributor Author

cwurm commented Nov 26, 2019

@kvch Thanks, done. Do you mind formally approving the PR?

@cwurm cwurm force-pushed the libbeat_do_not_overwrite branch from 55da2f0 to 525cd44 Compare December 2, 2019 11:26
@cwurm cwurm merged commit c115bb1 into elastic:master Dec 2, 2019
@cwurm cwurm deleted the libbeat_do_not_overwrite branch December 2, 2019 13:55
@cwurm cwurm mentioned this pull request Dec 2, 2019
Merged
cwurm pushed a commit to cwurm/beats that referenced this pull request Dec 2, 2019
Libbeat: Do not overwrite agent.*, ecs.version, and host.name (elasti…
05fcdb7 
…c#14407)

Do not forcibly overwrite agent.*, ecs.version, and host.name in Libbeat when they are already set.

(cherry picked from commit c115bb1)
@cwurm cwurm added the v7.6.0 label Dec 2, 2019
cwurm pushed a commit that referenced this pull request Dec 5, 2019
Libbeat: Do not overwrite agent.*, ecs.version, and host.name (#14407) (
dc57874 
#14879)

Do not forcibly overwrite agent.*, ecs.version, and host.name in Libbeat when they are already set.

(cherry picked from commit c115bb1)
@kaiyan-sheng kaiyan-sheng mentioned this pull request Aug 6, 2020
Closed
@tetianakravchenko tetianakravchenko mentioned this pull request Sep 12, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@urso urso Awaiting requested review from urso

@andrewkroh andrewkroh Awaiting requested review from andrewkroh

2 more reviewers

@houndci-bot houndci-bot houndci-bot left review comments

@kvch kvch kvch approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

bug libbeat review v7.6.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@cwurm @urso @kvch @houndci-bot