[Filebeat] Allow modules to set the ecs.version field value #17688
Assignees
Labels
Comments
|
I verified that modules can set diff --git a/x-pack/filebeat/module/panw/panos/config/input.yml b/x-pack/filebeat/module/panw/panos/config/input.yml
index 929237b99..a1aeda8f5 100644
--- a/x-pack/filebeat/module/panw/panos/config/input.yml
+++ b/x-pack/filebeat/module/panw/panos/config/input.yml
@@ -18,6 +18,11 @@ exclude_files: [".gz$"]
tags: {{.tags}}
processors:
+ - add_fields:
+ target: ecs
+ fields:
+ version: 1.6.0-beta
+
- add_locale: ~
- decode_csv_fields:@leehinman What do you think of that approach? |
|
I like it I'll add to all the filesets I've updated. |
|
I want to expand this issue to include explicitly setting the
|
|
I have opened #19159 to cover Auditbeat, Winlogbeat, Packetbeat. |
|
@leehinman The Filebeat part of this issue is complete, right? |
5 tasks
leehinman
added a commit
to leehinman/beats
that referenced
this issue
Jun 15, 2020
- Add test to check if ecs.version is set - add_fields to azure/activitylogs - add_fields to azure/auditlogs - add_fields to azure/signinlogs - add_fields to checkpoint/firewall - add_fields to crowdstrike/falcon - add_fields to fortinet/firewall - add_fields to traefik/access Relates elastic#17688
Once #19198 is merged. |
leehinman
added a commit
that referenced
this issue
Jun 16, 2020
* Explicitly set ECS version in Filebeat modules. - Add test to check if ecs.version is set - add_fields to azure/activitylogs - add_fields to azure/auditlogs - add_fields to azure/signinlogs - add_fields to checkpoint/firewall - add_fields to crowdstrike/falcon - add_fields to fortinet/firewall - add_fields to traefik/access Relates #17688
leehinman
added a commit
to leehinman/beats
that referenced
this issue
Jun 16, 2020
…9198) * Explicitly set ECS version in Filebeat modules. - Add test to check if ecs.version is set - add_fields to azure/activitylogs - add_fields to azure/auditlogs - add_fields to azure/signinlogs - add_fields to checkpoint/firewall - add_fields to crowdstrike/falcon - add_fields to fortinet/firewall - add_fields to traefik/access Relates elastic#17688 (cherry picked from commit 81b0c3a)
5 tasks
leehinman
added a commit
that referenced
this issue
Jun 25, 2020
…19223) * Explicitly set ECS version in Filebeat modules. - Add test to check if ecs.version is set - add_fields to azure/activitylogs - add_fields to azure/auditlogs - add_fields to azure/signinlogs - add_fields to checkpoint/firewall - add_fields to crowdstrike/falcon - add_fields to fortinet/firewall - add_fields to traefik/access Relates #17688 (cherry picked from commit 81b0c3a)
andrewkroh
added a commit
to andrewkroh/beats
that referenced
this issue
Jul 13, 2020
When we update the Beat (include all of its modules) we will then bump the ECS version that it includes in events. I went for a less granular approach than what is being used in Filebeat because I think it's desirable to move a whole beat to a new ECS version "at once" and more realistic to do so with these Beats that have fewer updates. By "at once" I mean we won't release a version that is partially updated. This implies that if we will be making multiple commits that we should use a feature branch to ensure the update is atomic. Closes elastic#17688
andrewkroh
added a commit
that referenced
this issue
Jul 13, 2020
When we update the Beat (include all of its modules) we will then bump the ECS version that it includes in events. I went for a less granular approach than what is being used in Filebeat because I think it's desirable to move a whole beat to a new ECS version "at once" and more realistic to do so with these Beats that have fewer updates. By "at once" I mean we won't release a version that is partially updated. This implies that if we will be making multiple commits that we should use a feature branch to ensure the update is atomic. Closes #17688
botelastic
bot
added
the
needs_team
|
This issue doesn't have a |
andrewkroh
added a commit
to andrewkroh/beats
that referenced
this issue
Jul 13, 2020
) When we update the Beat (include all of its modules) we will then bump the ECS version that it includes in events. I went for a less granular approach than what is being used in Filebeat because I think it's desirable to move a whole beat to a new ECS version "at once" and more realistic to do so with these Beats that have fewer updates. By "at once" I mean we won't release a version that is partially updated. This implies that if we will be making multiple commits that we should use a feature branch to ensure the update is atomic. Closes elastic#17688 (cherry picked from commit 256b50d)
andrewkroh
added a commit
that referenced
this issue
Jul 14, 2020
…19862) When we update the Beat (include all of its modules) we will then bump the ECS version that it includes in events. I went for a less granular approach than what is being used in Filebeat because I think it's desirable to move a whole beat to a new ECS version "at once" and more realistic to do so with these Beats that have fewer updates. By "at once" I mean we won't release a version that is partially updated. This implies that if we will be making multiple commits that we should use a feature branch to ensure the update is atomic. Closes #17688 (cherry picked from commit 256b50d)
melchiormoulin
pushed a commit
to melchiormoulin/beats
that referenced
this issue
Oct 14, 2020
…9198) * Explicitly set ECS version in Filebeat modules. - Add test to check if ecs.version is set - add_fields to azure/activitylogs - add_fields to azure/auditlogs - add_fields to azure/signinlogs - add_fields to checkpoint/firewall - add_fields to crowdstrike/falcon - add_fields to fortinet/firewall - add_fields to traefik/access Relates elastic#17688
melchiormoulin
pushed a commit
to melchiormoulin/beats
that referenced
this issue
Oct 14, 2020
) When we update the Beat (include all of its modules) we will then bump the ECS version that it includes in events. I went for a less granular approach than what is being used in Filebeat because I think it's desirable to move a whole beat to a new ECS version "at once" and more realistic to do so with these Beats that have fewer updates. By "at once" I mean we won't release a version that is partially updated. This implies that if we will be making multiple commits that we should use a feature branch to ensure the update is atomic. Closes elastic#17688
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the enhancement:
As a user of Filebeat modules I would like the ECS version number (
ecs.version) to reflect what version the data from the module comforms to rather than what version of the schema has been imported by libbeat.Describe a specific use case for the enhancement or feature:
It's helpful to have an accurate
ecs.versionfield in the data when you are trying to build queries for the data. You might need one query for earlier versions and then can use a generic query for the later versions that have categories and types.It will also serve as documentation of when the module was last updated for ECS.
Relates: #16089
The text was updated successfully, but these errors were encountered: