-
Notifications
You must be signed in to change notification settings - Fork 4.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Filebeat] Allow modules to set the ecs.version field value #17688
Comments
I verified that modules can set diff --git a/x-pack/filebeat/module/panw/panos/config/input.yml b/x-pack/filebeat/module/panw/panos/config/input.yml
index 929237b99..a1aeda8f5 100644
--- a/x-pack/filebeat/module/panw/panos/config/input.yml
+++ b/x-pack/filebeat/module/panw/panos/config/input.yml
@@ -18,6 +18,11 @@ exclude_files: [".gz$"]
tags: {{.tags}}
processors:
+ - add_fields:
+ target: ecs
+ fields:
+ version: 1.6.0-beta
+
- add_locale: ~
- decode_csv_fields: @leehinman What do you think of that approach? |
I like it I'll add to all the filesets I've updated. |
I want to expand this issue to include explicitly setting the
|
I have opened #19159 to cover Auditbeat, Winlogbeat, Packetbeat. |
@leehinman The Filebeat part of this issue is complete, right? |
- Add test to check if ecs.version is set - add_fields to azure/activitylogs - add_fields to azure/auditlogs - add_fields to azure/signinlogs - add_fields to checkpoint/firewall - add_fields to crowdstrike/falcon - add_fields to fortinet/firewall - add_fields to traefik/access Relates elastic#17688
Once #19198 is merged. |
* Explicitly set ECS version in Filebeat modules. - Add test to check if ecs.version is set - add_fields to azure/activitylogs - add_fields to azure/auditlogs - add_fields to azure/signinlogs - add_fields to checkpoint/firewall - add_fields to crowdstrike/falcon - add_fields to fortinet/firewall - add_fields to traefik/access Relates #17688
…9198) * Explicitly set ECS version in Filebeat modules. - Add test to check if ecs.version is set - add_fields to azure/activitylogs - add_fields to azure/auditlogs - add_fields to azure/signinlogs - add_fields to checkpoint/firewall - add_fields to crowdstrike/falcon - add_fields to fortinet/firewall - add_fields to traefik/access Relates elastic#17688 (cherry picked from commit 81b0c3a)
…19223) * Explicitly set ECS version in Filebeat modules. - Add test to check if ecs.version is set - add_fields to azure/activitylogs - add_fields to azure/auditlogs - add_fields to azure/signinlogs - add_fields to checkpoint/firewall - add_fields to crowdstrike/falcon - add_fields to fortinet/firewall - add_fields to traefik/access Relates #17688 (cherry picked from commit 81b0c3a)
When we update the Beat (include all of its modules) we will then bump the ECS version that it includes in events. I went for a less granular approach than what is being used in Filebeat because I think it's desirable to move a whole beat to a new ECS version "at once" and more realistic to do so with these Beats that have fewer updates. By "at once" I mean we won't release a version that is partially updated. This implies that if we will be making multiple commits that we should use a feature branch to ensure the update is atomic. Closes elastic#17688
When we update the Beat (include all of its modules) we will then bump the ECS version that it includes in events. I went for a less granular approach than what is being used in Filebeat because I think it's desirable to move a whole beat to a new ECS version "at once" and more realistic to do so with these Beats that have fewer updates. By "at once" I mean we won't release a version that is partially updated. This implies that if we will be making multiple commits that we should use a feature branch to ensure the update is atomic. Closes #17688
This issue doesn't have a |
) When we update the Beat (include all of its modules) we will then bump the ECS version that it includes in events. I went for a less granular approach than what is being used in Filebeat because I think it's desirable to move a whole beat to a new ECS version "at once" and more realistic to do so with these Beats that have fewer updates. By "at once" I mean we won't release a version that is partially updated. This implies that if we will be making multiple commits that we should use a feature branch to ensure the update is atomic. Closes elastic#17688 (cherry picked from commit 256b50d)
…19862) When we update the Beat (include all of its modules) we will then bump the ECS version that it includes in events. I went for a less granular approach than what is being used in Filebeat because I think it's desirable to move a whole beat to a new ECS version "at once" and more realistic to do so with these Beats that have fewer updates. By "at once" I mean we won't release a version that is partially updated. This implies that if we will be making multiple commits that we should use a feature branch to ensure the update is atomic. Closes #17688 (cherry picked from commit 256b50d)
…9198) * Explicitly set ECS version in Filebeat modules. - Add test to check if ecs.version is set - add_fields to azure/activitylogs - add_fields to azure/auditlogs - add_fields to azure/signinlogs - add_fields to checkpoint/firewall - add_fields to crowdstrike/falcon - add_fields to fortinet/firewall - add_fields to traefik/access Relates elastic#17688
) When we update the Beat (include all of its modules) we will then bump the ECS version that it includes in events. I went for a less granular approach than what is being used in Filebeat because I think it's desirable to move a whole beat to a new ECS version "at once" and more realistic to do so with these Beats that have fewer updates. By "at once" I mean we won't release a version that is partially updated. This implies that if we will be making multiple commits that we should use a feature branch to ensure the update is atomic. Closes elastic#17688
Describe the enhancement:
As a user of Filebeat modules I would like the ECS version number (
ecs.version
) to reflect what version the data from the module comforms to rather than what version of the schema has been imported by libbeat.Describe a specific use case for the enhancement or feature:
It's helpful to have an accurate
ecs.version
field in the data when you are trying to build queries for the data. You might need one query for earlier versions and then can use a generic query for the later versions that have categories and types.It will also serve as documentation of when the module was last updated for ECS.
Relates: #16089
The text was updated successfully, but these errors were encountered: