Skip to content

[1.x] Add field event.agent_id_status (#1454)#1456

Merged
ebeahan merged 1 commit intoelastic:1.xfrom
ebeahan:backport/1.x/pr-1454
Jun 14, 2021
Merged

[1.x] Add field event.agent_id_status (#1454)#1456
ebeahan merged 1 commit intoelastic:1.xfrom
ebeahan:backport/1.x/pr-1454

Conversation

@ebeahan
Copy link
Copy Markdown
Member

@ebeahan ebeahan commented Jun 14, 2021

Backports the following commits to 1.x:

@andrewkroh @ebeahan
Add field event.agent_id_status (elastic#1454)
90f90c1 
* Add field event.agent_id_status

This adds a field that can be used to reflect the status of the agent.id verification performed by the receiving system or data pipeline. If the receiving system checks that the sender is authorized for a given agent.id value then the outcome can be added to this field.

For example you might implement mTLS for authenticating agents sending data to Logstash. You could add the agent's ID to the agent's client cert subject and then validate incoming events in your Logstash pipeline to ensure the data has the agent ID.

Or with Elasticsearch you could provide each of your agents with an API key that has the agent.id associated to the API key metadata. Then using an Ingest Node pipeline you can validate the agent.id against the client's API key metadata.

* Shorten value names, remove allowed_values
# Conflicts:
#	experimental/generated/csv/fields.csv
#	generated/csv/fields.csv
@ebeahan ebeahan merged commit 829873c into elastic:1.x Jun 14, 2021
@ebeahan ebeahan deleted the backport/1.x/pr-1454 branch June 14, 2021 15:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

backport

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ebeahan @andrewkroh