[Custom AWS Logs] The field event.dataset should not be mapped as constant_keyword.

[leandrojmp]

Hello,

The Custom AWS Logs is one of the few integrations that it is used to get custom logs, so it has write permissions to logs-*-*, and in the integration configuration the user can change the dataset to a custom one.

At the same time, the event.dataset is mapped as a constant_keyword with the value aws_logs.generic and this can lead to events being dropped.

Recently I've configured this integration to get logs for Session Manager from S3 + SQS, but I've changed the dataset to be aws_logs.ssm instead of aws_logs.generic, I also cloned the integration template and changed it to match the pattern logs-aws_logs.ssm-*, added a new component template with my custom mappings and edited the integration custom pipeline to call another custom pipeline based on the datastream name.

But no events where being ingested, looking on the agent logs we saw some errors saying that it failed to index the events and directing to look at the events file where we found the reason for the events to be dropped.

{status=400): {"type":"document_parsing_exception","reason":"[1:50915] failed to parse field [event.dataset] of type [constant_keyword] indocument with id '1d6c6918b1-000000000000'. Preview of field's value: 'aws_logs.ssm'","caused_by":{"type":"illegal_argument_exception","reason":"[constant_keyword] field [event.dataset] only accepts values that are equal to the value defined in the mappings [aws_logs.generic], but got [aws_logs.ssm]"}}, dropping event!"

I'm not sure from where this event.dataset field is coming, I'm assuming that it gets its value from the Dataset name configuration.

There are workaround two solutions on this case, one is to create a custom mapping for this field to override its value in the custom template, another one is to use a set processor to change the event.dataset name back to aws_logs.generic, but I couldn't find none of them present in the documentation.

So I think that the documentation for this integration needs to be improved and since the integration is used to get generic logs and has permissions into logs-*-*, the event.dataset should not be a constant_keyword.

[ishleenk17]

@leandrojmp : The event.dataset should be a constant_keyword. Eg: In other input packages too.
Just that we should not assign a fix value to it as it fetches the value from data_stream.dataset.

So the fix here would be to remove the value form the event.dataset.

cc: @zmoog

[zmoog]

So the fix here would be to remove the value from the event.dataset.

Yep, we probably need to remove the value: aws_logs.generic.

However, the Custom AWS Logs integration is not an input package, it's an integration package ¹. So the last time I checked, integration packages do not create a custom index template as input packages do. There was a conversation in progress with the Fleet team.

Since we don't get an index template for each integration install, choosing keyword could be a good solution. I'll double-check with the team members who worked on this integration in the past.

Footnotes

1. The Custom AWS Logs integration was created before the input package spec existed. ↩

[ishleenk17]

Would it be a good idea to have it as input package @zmoog ?

[zmoog]

Would it be a good idea to have it as input package @zmoog ?

Yep, input packages' killer feature is the index templates you get for each dataset. We've discussed this idea before.

Let me double-check the status of this feature for standard integrations with Fleet.

[VincentWilde]

Hi @zmoog ,

Thank you for the clarification, but I'm confused by this response.
You mention that "Custom AWS Logs integration is not an input package, it's an integration package" and that "integration packages do not create a custom index template as input packages do."

However, we're clearly seeing the index template restriction in our production environment:

  "event": {
    "properties": {
      "dataset": {
        "type": "constant_keyword",
        "value": "aws_logs.generic"
      }
    }
}

So:

1. If integration packages don't create custom index templates, where is this constant_keyword mapping
   coming from?
2. How do you explain the Elasticsearch error we're getting:
   [constant_keyword] field [event.dataset] only accepts values that are equal to the value defined in the mappings [aws_logs.generic], but got [imperva_audit_customaws.log]
3. The integration UI clearly allows setting custom dataset names - shouldn't this work if it's offered as an option?
4. Most importantly: I don't understand what's preventing you from releasing a new version of the integration that removes this constant restriction. If the UI allows custom dataset configuration, the backend should support it. What technical blockers exist for this fix?

Could you help us understand the architecture here? We need to resolve this production issue and frankly,
this seems like a straightforward fix - remove the constant_keyword constraint and allow the field to be
dynamic as the UI suggests it should be

[ishleenk17]

@zmoog : This is similar to prometheus integration package.
Even this is an integration package but accepts dataset name from the user.
It has dataset name as constant_keyword, just no value is pre assigned to it.

To resolve this issue, do you think for now we remove the set value and assign the default value of "aws_logs.generic", in case no dataset value is assigned. This would ensure backward compatibility and also provide the needed flexibility.

[leandrojmp]

I'm not sure why event.dataset would need to be a constant_keyword field, the ECS documentation describe it as a keyword field, shouldn't it follow ECS guidelines? Or is this a requirement for integrations?

The main issue in this specific case is that since the value is assigned, the setting in the configuration is ignored, the user needs to clone the template and add a custom mapping to be able to use the desired dataset name.

At least the assigned name should be removed.

[zmoog]

@VincentWilde, sorry, my previous sentence was lacking precision. It should have been something like this:

"integration packages do not create a custom index template [for each custom dataset] as input packages do."

You're right in saying that Integration packages create index templates. Integration packages create exactly one index template for each integration they contain.

For example, if I install a single aws integration package, Fleet creates many index templates—one index template for each integration the package contains:

Then, if I install a single aws_logs integration package, Fleet creates a single index template:

If I continue installing two more aws_logs integration packages, each with different custom "Dataset name", I end up with three installations:

However, no matter how many installations I make, I still have one shared index template:

---

If I install three input packages like the Custom Azure Logs integration instead:

I get three different index templates, each one with a custom dataset:

---

The Custom Azure Logs integration is not better or worse than Custom AWS Logs: they're just different because the Azure one is an input package and the AWS one is an integration package that was conceived when the input package spec didn't exist yet.

[zmoog]

I think we have two topics here:

1. How integration and input packages work.
2. How to address the error from the Custom AWS Logs integration package.

For the first topic, my previous comment probably covers how integration/input packages work (but let me know if you have any additional questions!). What remains is understanding whether there's a migration path from integration to input package for the Custom AWS Logs, because the input package is a better fit for the intended purpose of this integration.

For the second topic, I agree with @leandrojmp that we should change the mapping for the Custom AWS Logs in its current form. I'll create an issue to spark the discussion, and a PR to address the problem.

[zmoog]

@zmoog : This is similar to prometheus integration package. Even this is an integration package but accepts dataset name from the user. It has dataset name as constant_keyword, just no value is pre assigned to it.

To resolve this issue, do you think for now we remove the set value and assign the default value of "aws_logs.generic", in case no dataset value is assigned. This would ensure backward compatibility and also provide the needed flexibility.

I think that if users install multiple aws_logs packages, data streams created from the only index template needs to host different event.dataset values, so constant_keyword is probably not working for event.dataset in all use cases.

[zmoog]

The data_stream.dataset field should be a constant_keyword, but event.dataset probably should not.

[zmoog]

There's more to this issue than what meets the eye

I tried to reproduce it on my local cluster and I wasn't able to reproduce it. But I learned along the way. Here's what I did and what I found.

Test

I installed the Custom AWS Logs 1.8.2 using a custom dataset aws_logs.custom1, and started collecting CloudWatch logs. Logs started flowing from CloudWatch to the data stream logs-aws_logs.custom1-default.

However, after a closer look, I noticed the data stream logs-aws_logs.custom1-default wasn't created from the logs-aws_logs.generic index template (it doesn't match the index pattern), but from the logs index template instead:

The data stream logs-aws_logs.custom1-default can ingest log events with any dataset as it doesn't contain a mapping for the event.dataset field.

Observations

Since the Custom AWS Logs integration doesn't automatically create an index template for each custom dataset, users probably clone the logs-aws_logs.generic index template, and change it to match the custom template.

Unfortunately, this brings in the constant event.dataset mapping from the logs-aws_logs.generic@package component template, causing the error.

In the current form, the Custom AWS Logs integration seems not to work well with cloning the index template, a common practice used to manually bridge the gaps between integration and input packages.

To resolve this issue, do you think for now we remove the set value and assign the default value of "aws_logs.generic", in case no dataset value is assigned. This would ensure backward compatibility and also provide the needed flexibility.

Yeah, I agree with you @ishleenk17 — we should remove the constant value from the mapping as you suggested. And also provide guidance in the integration docs about how to use the integration, as @leandrojmp pointed out.

I'm not sure from where this event.dataset field is coming, I'm assuming that it gets its value from the Dataset name configuration.

It's set by a processor injected by Fleet when it renders the policy template. You can find the rendered version in an agent diagnostics. Here's an example:

# elastic-agent-diagnostics/components/aws-cloudwatch-default/beat-rendered-config.yml
inputs:
    - access_key_id: [redacted]
      api_sleep: 200ms
      data_stream:
        dataset: aws_logs.custom1
        elasticsearch:
            dynamic_dataset: true
            dynamic_namespace: true
        type: logs
      index: logs-aws_logs.custom1-default
      log_group_arn: [redacted]
      number_of_workers: 1
      processors:
        - add_fields:
            fields:
                input_id: aws-cloudwatch-aws_logs-e158228e-3066-4c53-8f70-b393933231fa
            target: '@metadata'
        - add_fields:
            fields:
                dataset: aws_logs.custom1
                namespace: default
                type: logs
            target: data_stream
        - add_fields:
            fields:
                dataset: aws_logs.custom1
            target: event # <---------------------- 👀 HERE
        - add_fields:
            fields:
                stream_id: aws-cloudwatch-aws_logs.generic-e158228e-3066-4c53-8f70-b393933231fa
            target: '@metadata'
        - add_fields:
            fields:
                id: ffedf804-b6d7-4e24-b1ce-df233eac0125
                snapshot: false
                version: 8.19.1
            target: elastic_agent
        - add_fields:
            fields:
                id: ffedf804-b6d7-4e24-b1ce-df233eac0125
            target: agent

[zmoog]

Kicked off a PR #15507 to fix this issue.

You'll need to rollover the data streams created from the cloned index templates.