Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cherry-pick #14407 to 7.x: Libbeat: Do not overwrite agent.*, ecs.version, and host.name #14879

Merged
merged 1 commit into from
Dec 5, 2019
Merged

Cherry-pick #14407 to 7.x: Libbeat: Do not overwrite agent.*, ecs.version, and host.name #14879

merged 1 commit into from
Dec 5, 2019
+41 −16

Conversation

cwurm
Copy link
Contributor

@cwurm cwurm commented Dec 2, 2019

Cherry-pick of PR #14407 to 7.x branch. Original message:

Addresses part of #13920 (comment).

Libbeat currently sets a few fields in every event, with no option to turn it off, or to at least not overwrite existing values.

This is a problem when receiving forwarded events (see #13920 for details). The field I'm most concerned about is host.name which is used by the Kibana SIEM app to identify hosts. This PR changes Libbeat to not overwrite host.name and a few other fields when they are already set (see list of fields below). This is technically a breaking change, though I think in almost all cases the current behavior is not what users would expect, and it is creating problems in the wild (eg #13706, discuss #1, discuss #2) - so I would like to make it in 7.x.

A bit more detail on the implementation: Adds a new function MapStr. DeepUpdateNoOverwrite alongside the existing MapStr.DeepUpdate and an overwrite parameter to the add_fields processor (but does not expose it).

The affected fields that will no longer be overwritten if they already exist are:

  1. agent.ephemeral_id
  2. agent.hostname
  3. agent.id
  4. agent.type
  5. agent.version
  6. ecs.version
  7. host.name

If we do not want to change the behavior for all these fields we could also refactor the code to only not overwrite host.name - but I think it makes sense to not overwrite any of these fields.

Libbeat: Do not overwrite agent.*, ecs.version, and host.name (elasti…
05fcdb7 
…c#14407)

Do not forcibly overwrite agent.*, ecs.version, and host.name in Libbeat when they are already set.

(cherry picked from commit c115bb1)
@cwurm cwurm requested a review from a team December 4, 2019 15:35
@cwurm cwurm merged commit dc57874 into elastic:7.x Dec 5, 2019
@cwurm cwurm deleted the backport_14407_7.x branch December 5, 2019 09:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kvch kvch kvch approved these changes

Assignees
No one assigned
Labels
backport libbeat review
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@cwurm @kvch