Finalize user_agent migration to ECS #10441
Conversation
webmat
added
in progress
webmat
changed the title
webmat
force-pushed
the
ecs-user-agent-cleanup
branch
from
f0c91d4 to
78b36d4
Compare
| "ignore_failure": true | ||
| } | ||
| }, { |
There was a problem hiding this comment.
Nice to see that some much code can be removed.
|
I'm trying to make this PR work for the user_agent without this fix elastic/elasticsearch#38094. Not sure if CI incorporates yesterday's change, which causes a mapping error. If it does, I want this PR to be merged to resolve the issue, and I'll do a follow-up PR once the final fix is in, to remove the last rename. |
|
The fun meter raises by another level: I just noticed that the ECS definition of |
webmat
changed the title
webmat
force-pushed
the
ecs-user-agent-cleanup
branch
from
ab773d8 to
7942a0b
Compare
webmat
added
review
in progress
- Device now aliased to ua.device.name - Version breakdown fields all relate to .version field, with alias:false
webmat
force-pushed
the
ecs-user-agent-cleanup
branch
from
7942a0b to
3c0af2d
Compare
webmat
changed the title
webmat
added
review
and removed
in progress
There was a problem hiding this comment.
LGTM. Should we add a changelog entry for this?
For the timestamp changes I would suggest we ignore it for now to make sure CI is green as we already work on fixing it. @ycombinator objections?
| "user_agent.name": "IE", | ||
| "user_agent.original": "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; WOW64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR[ 2.0.50727](tel: 2050727); .NET CLR 3.0.30729)", | ||
| "user_agent.os.full_name": "Windows 8.1", | ||
| "user_agent.os.name": "Windows 8.1" | ||
| "user_agent.os.name": "Windows 8.1", |
There was a problem hiding this comment.
Is this expected? I see below this goes under full?
There was a problem hiding this comment.
ES bug. Will file this soon.
|
Canceled Windows jobs can be ignored. |
No objections from me. I'm +1 to deal with those changes in separate PR(s). |
|
@webmat @ycombinator Let's make sure that any follow up PR to fix the timestamp changes / fixes the timestamps we have remove / changed here. |
|
It's mostly on the ES side, though. We may proactively be able to circumvent some of parsing problems in our pipelines. But since they're regressions in ts parsing, they should also be fixed in ES. |
++ to trying to fix on the ES side. I've been trying to adapt our pipelines in a way that would work with |
|
@ycombinator Yes, even if never merged, would make it easy for me to 👀 . Otherwise I doubt I'll get to that in time :-\ |
There was a regression in ES when parsing timezones and we adapted the expected results to the incorrect values in elastic#10441. Revert these changes when the fixed ES images are ready.
There was a regression in ES when parsing timezones and we adapted the expected results to the incorrect values in #10441. Revert these changes when the fixed ES images are ready.
There was a regression in ES when parsing timezones and we adapted the expected results to the incorrect values in elastic#10441. Revert these changes when the fixed ES images are ready. (cherry picked from commit f9be490)
This adjusts to the updated user_agent parser, which is now in line with ECS schema. - major/minor/patch fields have been removed from the field definitions - multiple field renames in Filebeat module ingest node pipelines are now removed - remove Fb module test skipping which was added due to the latest ES build - delete the `user_agent` field nested in the Suricata EVE events, as it's now an alias - Caveat to this PR: the latest ES build has issues with timestamp parsing, so `@timestamp` is sometimes missing, or ignoring the timezone. This will be resolved in ES, and potentially a separate Beat PR.
This PR is built on top of #10472 and should be merged after it.
In 7.0, the output of ingest node "user_agent" processor will match ECS by default (elastic/elasticsearch#37984, elastic/elasticsearch#38094). This means we can remove a lot of temporary field renames that were previously needed, to make its output follow ECS.
This PR will fail CI until the ES Docker image used in CI includes the changes from both issues linked above. Both of them are merged to master already, so we're just waiting for the next successful artifact build for ES.
Filebeat datasets affected:
This PR also fixes a few mistakes that were made in ecs-migration.yml.
Caveat
This PR introduces multiple changes / removals of the
@timestampfield in the test files because of an unrelated change in how Elasticsearch parses timestamps. This will be fixed in other PRs.TODO
alias: false