event.original optionality across all packages

[jamiehynds]

Our current integrations are inconsistent when it comes to preserving original logs/fields. Some integrations preserve event.original, while others do not. Preserving raw logs has a significant impact on storage, often doubling the size of an event.

While there are cases whereby preservation of raw logs is a requirement, most users prefer to keep their storage costs as low as possible. Disabling event.original by default, but adding the option to enable, seems like the a reasonable solution.

Could we add a switch to our Fleet packages (not Beat modules) to allow some optionality on the preservation of original events.

Related issue: elastic/beats#14708

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[NeilADesai]

This should also go for original event fields (i.e. CEF module). We should not have duplicate fields by default.

[leehinman]

We currently use a tag of "forwarded" to control if host info is
disabled:

integrations/packages/okta/data_stream/system/agent/stream/httpjson.yml.hbs

Line 41 in 19c8c76

publisher_pipeline.disable_host: true

This "feels" similar, we could use a tag to represent
"preserve_original_event".

We don't have to use tags, but either way I think it would be nice to
have one way in which we add data to an event to control it's
processing. I also think it would be good to preserve this value so
the data could be re-indexed and get the same effect.

One other thing I thought of, want to make sure we don't accidentally
increase network bandwith by copying to event.original before we send
to ingest node.

[andrewkroh]

I like the idea of making it easy to reindex data from event.original.

I also think it would be good to preserve this value so
the data could be re-indexed and get the same effect.

With our pipelines all expecting the original value to be contained in message, using _reindex won't work as expected since the message value taken from _source will be the modified non-original value. It would be nice if Filebeat always set event.original rather than message. I guess pipelines could be made to use event.original if it exists, otherwise use message, but I would prefer invariant logic.

[P1llus]

I agree with both as well, just to try to sum it up:

• Change is only to be applied to packages, this includes all packages from both Observability and Security.
• This does not include special packages like endpoint and APM.
• The field to be used to preserve the event, is event.original.
• Instead of copying message to event.original, for reindex purposes the pipelines should be rewritten to use event.original instead. This makes the reindex experience much smoother.
• Each package will have a configuration option in the Fleet menu, asking for Preserve original event, which defaults to off.
• If Preserved original event is set to true by the user, a tag is applied which is called preserve_original_event
• If the tag is set, the ES Ingest Pipeline will be used to preserve the event, instead of local processing by the beat/agent, as that will be removed.
• event.original should not be a indexed field.

Example on adding the configuration option to the UI:

    vars:
      - name: preserve_original_event
        required: true
        show_user: true
        title: Preserve original event
        description: Preserves a raw copy of the original event, added to the field event.original
        type: bool
        multi: false
        default: false

In the agent configuration, to send the configuration object, we will use the tag preserve_original_event

tags:
{{#if preserve_original_event}}
- preserve_original_event
{{/if}}
{{#each tags as |tag i|}}
 - {{tag}}
{{/each}}

In ingest pipelines, depending on which source field we use, let's say currently is message that we want to preserve

  - set:
      field: event.original
      copy_from: message
      if: "ctx?.tags.contains('preserve_original_event')"

[andrewkroh]

Change is only to be applied to packages, this includes all packages from both Observability and Security.

Then I think this discussion should be happening in in elastic/integrations. Can you transfer this issue over to there.

[ruflin]

What we consider to be the original even in this context is the message field when it arrives at the ingest pipeline? In general I like this idea. As @andrewkroh mentioned, this makes reindexing really simple.

[andrewkroh]

Relates: elastic/ecs#841

[dainperkins]

@ruflin I think in this context security/evidence/audit requirements suggest that "original" = the message as recorded by the original entity - before any beats/agent/ingest pipeline modifications. (unsure if agent/integrations are doing any local processing, but the distinction, even from a docs perspective is likely important to those who are thinking of a secured log destination