Update windows integration package spec to v3#10781
Conversation
Update fields definitions, manifest and changelog
|
Pinging @elastic/elastic-agent-data-plane (Team:Elastic-Agent-Data-Plane) |
|
Pinging @elastic/sec-windows-platform (Team:Security-Windows Platform) |
This commit sets typeMigrationVersion to the version that was required before the update to package spec v3
Co-authored-by: Andrew Kroh <andrew.kroh@elastic.co>
| conditions: | ||
| kibana: | ||
| version: "^8.8.0" | ||
| version: "^8.14.0" |
There was a problem hiding this comment.
any chance we can go earlier?
There was a problem hiding this comment.
I tried to back to 8.8, but other things broke, not even 8.10.1 worked :/
So I just let the one that was working.
| name: destination.port | ||
| - external: ecs | ||
| name: dns.answers | ||
| type: object |
There was a problem hiding this comment.
can we get rid of the whole ecs.yml file and use the ecs dynamic mappings?
There was a problem hiding this comment.
I'm not sure.
I prefer to have explicit mapping to avoid any malformed data from creating the wrong mapping. Anyways I'm open to look into the dynamic mappings.
Update the ingest pipelines so the fields comply with ECS. Most of the updates are transforming strings into arrays and some updating the fields added to comply with ECS.
Updating the sample_event.json files fixes the static tests, the changes in the README are made by the build process.
🚀 Benchmarks reportPackage
|
| Data stream | Previous EPS | New EPS | Diff (%) | Result |
|---|---|---|---|---|
applocker_exe_and_dll |
5076.14 | 4255.32 | -820.82 (-16.17%) | 💔 |
applocker_packaged_app_execution |
21739.13 | 6944.44 | -14794.69 (-68.06%) | 💔 |
sysmon_operational |
3802.28 | 3125 | -677.28 (-17.81%) | 💔 |
To see the full report comment with /test benchmark fullreport
💚 Build Succeeded
History
|
|
|
Package windows - 2.0.0 containing this change is available at https://epr.elastic.co/search?package=windows |
|
Just as a head's up, it appears that as of this PR (confirmed in ESS and On-Prem), all Powershell event dashboards are now empty) after upgrading to |
I don't think so, at least I could not find one. This could have been caused by this PR, could you open an issue with details about the environment and how reproduce and test? |
|
Looks like we have an issue: elastic/elastic-agent#5746 (comment) |
Are you sure this is the same issue @maggieghamry described? Maybe you pasted the wrong link? My understanding of the issue described by @maggieghamry is that the dashboard is not showing any data, but the agent is healthy. @maggieghamry do you see any errors/unhealthy agents? Is new data not appearing in the dashboard or does the dashboard just stopped working even with data from the previous version of the agent present in the cluster? |
|
@belimawr I'm not sure it is the same issue, but we confirmed by testing on the last functional version ( |
--------- Co-authored-by: Andrew Kroh <andrew.kroh@elastic.co>
--------- Co-authored-by: Andrew Kroh <andrew.kroh@elastic.co>
Proposed commit message
This commit updates the windows integration to package spec
v3.2.1and makes all necessary changes to the dashboards and fields definitons.Checklist
changelog.ymlfile.## Author's ChecklistHow to test this PR locally
elastic-packageRelated issues
windowsintegration to package spec v3 #10274## Screenshots