Try out constant_keyword value fields in system log integrations#1211
Conversation
💚 Build Succeeded
Expand to view the summary
Build stats
Test stats 🧪
Trends 🧪 |
|
Hi @fearful-symmetry, thanks for opening up this PR! From the Security Solution side, the most important piece is for this integration to populate both |
|
Thanks for setting up a test. I merged support for the |
|
Figured I'd get the fields mixed up. Let's try that. |
|
@andrewkroh do we want to manually set the value for |
| - name: data_stream.type | ||
| type: constant_keyword | ||
| description: Data stream type. | ||
| value: logs |
There was a problem hiding this comment.
This is a nice addition we likely should add anywhere. @mtojek I remember we had some discussion around this in the past, maybe there is even an issue for it. Later on we should make sure it is in sync with the type in the manifest.
There was a problem hiding this comment.
Are you referring to validation only? If so, then I understand that this property will ALWAYS be in sync with the type (any overriding forbidden)?
There was a problem hiding this comment.
Yes, can't think of a use case where the two would not be in sync.
| type: constant_keyword | ||
| description: Data stream dataset. | ||
| value: system.auth | ||
| - name: event.dataset |
There was a problem hiding this comment.
Nit: Can we move event.dataset and event.module to the bottom to have it together as one block? Like this the diff is also cleaner to only have an addition on the bottom, assuming we leave out the changes for value in data_stream.*
|
For reference, here the two related issues: #226 elastic/kibana#66551 |
| value: system.security | ||
| - name: event.dataset | ||
| type: constant_keyword | ||
| description: event dataset. |
| - name: data_stream.namespace | ||
| type: constant_keyword | ||
| description: Data stream namespace. | ||
| - name: dataset.type |
| type: constant_keyword | ||
| description: Dataset type. | ||
| value: logs | ||
| - name: dataset.name |
There was a problem hiding this comment.
@ruflin shouldn't this field be removed? I think we replaced it with data_stream
| type: constant_keyword | ||
| description: Dataset name. | ||
| value: system.security | ||
| - name: dataset.namespace |
|
Alright, everything should be updated now. Just depends on what we want to do with the |
|
A tad confused by the CI failures, since |
|
...helps if I update |
packages/system/changelog.yml
Outdated
| # newer versions go on top | ||
| - version: "0.13.5" | ||
| changes: | ||
| - description: Use event.datastream and event.module |
There was a problem hiding this comment.
Should this say event.dataset instead of event.datastream?
There was a problem hiding this comment.
Good catch!
mtojek
left a comment
There was a problem hiding this comment.
Could you please make sure that dataset.* are not required anymore and clean them? I saw some in https://github.com/elastic/integrations/blob/27d37a116d765c32cccbbfd4f0773e563aed093c/packages/system/data_stream/security/fields/base-fields.yml .
@mtojek that's one of the things I'm not clear on. What uses |
|
Okay, so it just now occurred to me that when you said "required anymore" you were probably referring to the dashboards & saved searches. If that's the case, no, nothing is using them. |
What does this PR do?
This is a draft PR to test out the changes discussed here: https://github.com/elastic/security-team/issues/780
This is an addition based on the spec changes here: elastic/package-spec#194
This probably won't pass CI or anything now, as we're also waiting for this: elastic/elastic-package#386
This PR adds the
valuefield toconstant_keywordfields in the base yaml files.Checklist
changelog.ymlfile.manifest.ymlfile to point to the latest Elastic stack release (e.g.^7.13.0).