Skip to content

Add event.ingested to all Filebeat modules#20386

Merged
andrewkroh merged 4 commits intoelastic:masterfrom
andrewkroh:feature/fb/event-ingested-modules
Aug 4, 2020
Merged

Add event.ingested to all Filebeat modules#20386
andrewkroh merged 4 commits intoelastic:masterfrom
andrewkroh:feature/fb/event-ingested-modules

Conversation

@andrewkroh
Copy link
Copy Markdown
Member

@andrewkroh andrewkroh commented Jul 31, 2020
edited
Loading

What does this PR do?

The event.ingested field defines time at which the event was ingested to Elasticsearch
and it added by the Ingest Node pipeline.

This adds a test to ensure all modules create event.ingested.

Why is it important?

This field is important when trying to build
alerts for activities that may have been reported long after they occurred (@timestamp is
much older than event.ingested). This might happen if an agent was offline for a period
of time or the processing was delayed.

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • I have added tests that prove my fix is effective or that my feature works
  • I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Author's Checklist

  • Verify that no pipelines have duplicate set processors for event.ingested

Related issues

@botelastic botelastic bot added needs_team Indicates that the issue/PR needs a Team:* label and removed needs_team Indicates that the issue/PR needs a Team:* label labels Jul 31, 2020
@andrewkroh andrewkroh force-pushed the feature/fb/event-ingested-modules branch from 5c3bb48 to ac727ec Compare July 31, 2020 16:04
@andrewkroh andrewkroh marked this pull request as ready for review July 31, 2020 16:04
@elasticmachine
Copy link
Copy Markdown
Contributor

elasticmachine commented Jul 31, 2020

Pinging @elastic/siem (Team:SIEM)

@andrewkroh andrewkroh added the needs_backport PR is waiting to be backported to other branches. label Jul 31, 2020
@elasticmachine
Copy link
Copy Markdown
Contributor

elasticmachine commented Jul 31, 2020
edited by jenkins-beats-ci bot
Loading

💚 Build Succeeded

Pipeline View Test View Changes Artifacts preview

Expand to view the summary

Build stats

  • Build Cause: [Pull request #20386 updated]

  • Start Time: 2020-08-03T20:16:22.781+0000

  • Duration: 54 min 30 sec

Test stats 🧪

Test Results
Failed 0
Passed 5516
Skipped 840
Total 6356

@andrewkroh
Add event.ingested to all Filebeat modules
066a9fd 
The event.ingested field defines time at which the event was ingested to Elasticsearch
and it added by the Ingest Node pipeline. This field is important when trying to build
alerts for activities that may have been reported long after they occurred (@timestamp is
much older than event.ingested). This might happen if an agent was offline for a period
of time or the processing was delayed.

This adds a test to ensure all modules create event.ingested.

Closes elastic#20073
@andrewkroh
Update more modules with event.ingested
6f53473
@andrewkroh andrewkroh force-pushed the feature/fb/event-ingested-modules branch from 315e890 to 6f53473 Compare August 3, 2020 19:22
@andrewkroh andrewkroh mentioned this pull request Aug 4, 2020
Merged
2 tasks
andrewstucki
andrewstucki reviewed Aug 4, 2020
View reviewed changes
x-pack/filebeat/module/zeek/weird/ingest/pipeline.yml
value: '{{_ingest.timestamp}}'
- set:
field: event.created
value: '{{@timestamp}}'
Copy link
Copy Markdown

@andrewstucki andrewstucki Aug 4, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

these almost make me wonder if we should add event.created by default to the @timestamp populating code.

Copy link
Copy Markdown
Contributor

@leehinman leehinman Aug 10, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Zeek already had event.created, but it was being set to _ingest.timestamp so I changed it to @timestamp. The diff looks like I added a new event.created field but really I changed it.

I do think that for consistency we should add event.created and also event.original to every module. But that's probably best to do in separate pull requests.

@andrewstucki @andrewkroh
So the ECS docs have this for event.created:

In case the two timestamps are identical, @timestamp should be used.

I'm wondering if we should be setting event.created & @timestamp to the same value?

andrewstucki
andrewstucki reviewed Aug 4, 2020
View reviewed changes
Copy link
Copy Markdown

@andrewstucki andrewstucki left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see a bunch of places where event.created is added--makes sense, but just wondering why it was added for some, but not others?

@andrewkroh
Copy link
Copy Markdown
Member Author

andrewkroh commented Aug 4, 2020

Zeek already had event.created, but it was being set to _ingest.timestamp so I changed it to @timestamp. The diff looks like I added a new event.created field but really I changed it.

I do think that for consistency we should add event.created and also event.original to every module. But that's probably best to do in separate pull requests.

@andrewkroh andrewkroh merged commit 829c3b7 into elastic:master Aug 4, 2020
v1v added a commit to v1v/beats that referenced this pull request Aug 6, 2020
@v1v
Merge remote-tracking branch 'upstream/master' into feature/ci-pipeli…
6fa6d3a 
…ne-2.0

* upstream/master:
  [docs] Promote ingest management to beta (elastic#20295)
  Upgrade elasticsearch client library used in tests (elastic#20405)
  Disable logging when pulling on python integration tests (elastic#20397)
  Remove pillow from testing requirements.txt (elastic#20407)
  [Filebeat][ATP Module]Setting user agent field required by the API (elastic#20440)
  [Ingest Manager] Send datastreams fields (elastic#20402)
  Add event.ingested to all Filebeat modules (elastic#20386)
  [Elastic Agent] Fix agent control socket path to always be less than 107 characters (elastic#20426)
  Improve cgroup_regex docs with examples (elastic#20425)
  Makes `metrics` config option required in app_insights (elastic#20406)
  Ensure install scripts only install if needed (elastic#20349)
  Update container name for the azure filesets (elastic#19899)
  Group same timestamp metrics values in app_insights metricset (elastic#20403)
  add_process_metadata processor adds container id even if process metadata not accessible (elastic#19767)
  Support "cluster" scope in Metricbeat elasticsearch module (elastic#18547)
  [Filebeat][SophosXG Module] Renaming module and fileset (elastic#20396)
  Update Suricata dashboards (elastic#20394)
  [Elastic Agent] Improve version, restart, enroll CLI commands (elastic#20359)
  Prepare home directories for docker images in a different stage (elastic#20356)
v1v added a commit to v1v/beats that referenced this pull request Aug 6, 2020
@v1v
Merge remote-tracking branch 'upstream/master' into fix/ci-tools-inst…
6b99d98 
…allation

* upstream/master: (23 commits)
  [docs] Promote ingest management to beta (elastic#20295)
  Upgrade elasticsearch client library used in tests (elastic#20405)
  Disable logging when pulling on python integration tests (elastic#20397)
  Remove pillow from testing requirements.txt (elastic#20407)
  [Filebeat][ATP Module]Setting user agent field required by the API (elastic#20440)
  [Ingest Manager] Send datastreams fields (elastic#20402)
  Add event.ingested to all Filebeat modules (elastic#20386)
  [Elastic Agent] Fix agent control socket path to always be less than 107 characters (elastic#20426)
  Improve cgroup_regex docs with examples (elastic#20425)
  Makes `metrics` config option required in app_insights (elastic#20406)
  Ensure install scripts only install if needed (elastic#20349)
  Update container name for the azure filesets (elastic#19899)
  Group same timestamp metrics values in app_insights metricset (elastic#20403)
  add_process_metadata processor adds container id even if process metadata not accessible (elastic#19767)
  Support "cluster" scope in Metricbeat elasticsearch module (elastic#18547)
  [Filebeat][SophosXG Module] Renaming module and fileset (elastic#20396)
  Update Suricata dashboards (elastic#20394)
  [Elastic Agent] Improve version, restart, enroll CLI commands (elastic#20359)
  Prepare home directories for docker images in a different stage (elastic#20356)
  New multiline mode in Filebeat: while_pattern (elastic#19662)
  ...
@andrewkroh andrewkroh mentioned this pull request Aug 6, 2020
Merged
5 tasks
@andrewkroh andrewkroh added v7.10.0 and removed needs_backport PR is waiting to be backported to other branches. labels Aug 6, 2020
andrewkroh added a commit to andrewkroh/beats that referenced this pull request Aug 6, 2020
@andrewkroh
Add event.ingested to all Filebeat modules (elastic#20386)
288b7c3 
The event.ingested field defines time at which the event was ingested to Elasticsearch
and it added by the Ingest Node pipeline. This field is important when trying to build
alerts for activities that may have been reported long after they occurred (@timestamp is
much older than event.ingested). This might happen if an agent was offline for a period
of time or the processing was delayed.

This adds a test to ensure all modules create event.ingested.

Use Filebeat read time instead of ingest time as event.created in Zeek.

Closes elastic#20073

(cherry picked from commit 829c3b7)
andrewkroh added a commit that referenced this pull request Aug 11, 2020
@andrewkroh
Add event.ingested to all Filebeat modules (#20386) (#20483)
9ebe21c 
The event.ingested field defines time at which the event was ingested to Elasticsearch
and it added by the Ingest Node pipeline. This field is important when trying to build
alerts for activities that may have been reported long after they occurred (@timestamp is
much older than event.ingested). This might happen if an agent was offline for a period
of time or the processing was delayed.

This adds a test to ensure all modules create event.ingested.

Use Filebeat read time instead of ingest time as event.created in Zeek.

Closes #20073

(cherry picked from commit 829c3b7)
@adriansr adriansr mentioned this pull request Aug 20, 2020
Merged
@adriansr adriansr mentioned this pull request Aug 24, 2020
Merged
melchiormoulin pushed a commit to melchiormoulin/beats that referenced this pull request Oct 14, 2020
@andrewkroh @melchiormoulin
Add event.ingested to all Filebeat modules (elastic#20386)
52f2918 
The event.ingested field defines time at which the event was ingested to Elasticsearch
and it added by the Ingest Node pipeline. This field is important when trying to build
alerts for activities that may have been reported long after they occurred (@timestamp is
much older than event.ingested). This might happen if an agent was offline for a period
of time or the processing was delayed.

This adds a test to ensure all modules create event.ingested.

Use Filebeat read time instead of ingest time as event.created in Zeek.

Closes elastic#20073
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@leehinman leehinman leehinman left review comments

+1 more reviewer

@andrewstucki andrewstucki andrewstucki approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

enhancement Filebeat Filebeat v7.10.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Meta] Expand support for populating event.ingested

4 participants

@andrewkroh @elasticmachine @andrewstucki @leehinman