Change fields.ecs.yml to ECS 1.11.0 #27107
Conversation
leehinman
added
enhancement
Filebeat
botelastic
bot
added
needs_team
💚 Build Succeeded
Expand to view the summary
Build stats
Test stats 🧪
Trends 🧪💚 Flaky test reportTests succeeded. Expand to view the summary
Test stats 🧪
|
leehinman
force-pushed
the
beats_ecs_1.11
branch
5 times, most recently
from
43f02f5 to
36cc6f9
Compare
|
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
|
This pull request is now in conflicts. Could you fix it? 🙏 |
There was a problem hiding this comment.
I'm curious how many new fields does this release add?
(My concern is that we add new fields to every beat with each ECS update (even if they are not utilized). This increases the mappings stored in cluster state and grows the response sizes in Kibana from the fields API.)
leehinman
force-pushed
the
beats_ecs_1.11
branch
4 times, most recently
from
f5d3efa to
2b8a519
Compare
|
This pull request is now in conflicts. Could you fix it? 🙏 |
leehinman
force-pushed
the
beats_ecs_1.11
branch
from
2b8a519 to
784ac35
Compare
There was a problem hiding this comment.
Some comments/questions.
- I'm thinking we should probably add orchestrator data to the processors as well:
- For the docker autodiscover/processor do you know if there's a way via Docker's API to detect if you're running in Swarm? If so maybe we should consider adding there as well? If it's too much of a heavy lift maybe we can add that in later as a separate enhancement though.
|
|
||
| nodeMap, err := kubemeta.GetValue(kind) | ||
| if err == nil { | ||
| node, _ := nodeMap.(common.MapStr) |
There was a problem hiding this comment.
Does this need to be cast/nil checked? If you want to do an unconditional cast, I'd remove the _ -- but assuming the above GetValue call returns a nil you probably want to be more explicit about the cast and nil checking here.
There was a problem hiding this comment.
Some comments/questions.
* I'm thinking we should probably add orchestrator data to the processors as well: * https://github.com/elastic/beats/tree/master/libbeat/processors/add_kubernetes_metadata * https://github.com/elastic/beats/tree/master/x-pack/libbeat/processors/add_nomad_metadata
Added
* For the docker autodiscover/processor do you know if there's a way via Docker's API to detect if you're running in Swarm? If so maybe we should consider adding there as well? If it's too much of a heavy lift maybe we can add that in later as a separate enhancement though.
It looks like you might be able to "inspect swarm", and know if you are in a swarm or not. But I'm thinking a separate enhancement might be best.
There was a problem hiding this comment.
Does this need to be cast/nil checked? If you want to do an unconditional cast, I'd remove the
_-- but assuming the aboveGetValuecall returns anilyou probably want to be more explicit about the cast andnilchecking here.
changed this so we don't get intermediate maps, cleaner all around, don't know what I was thinking.
| @@ -435,14 +437,16 @@ func (p *pod) podEvent(flag string, pod *kubernetes.Pod, ports common.MapStr, in | |||
| if len(namespaceAnnotations) != 0 { | |||
| kubemeta["namespace_annotations"] = namespaceAnnotations | |||
| } | |||
| orchestrator := genOrchestratorFields(kubemeta, "pod") | |||
There was a problem hiding this comment.
Is there some guidance around the orchestrator.resource.type field? Just making sure it makes sense to put pod here, the examples in the docs all have service and not sure if there was a desire to make the language orchestrator agnostic or not.
There was a problem hiding this comment.
Kubernetes autodiscover provider can discover different kinds of resources, depending on the resource setting. When resource: service is used, it will collect events from services, and then I think it is fine to use orchestrator.resource.type: service there, but here it is discovering pods and containers, so I think that it is ok to use pod.
| if err != nil { | ||
| return common.MapStr{} | ||
| } | ||
| nomad, _ := nomadMap.(common.MapStr) |
There was a problem hiding this comment.
Same as previous casting comments on unconditional v. checked casts.
|
|
||
| taskMap, err := nomad.GetValue("task") | ||
| if err == nil { | ||
| task, _ := taskMap.(common.MapStr) |
There was a problem hiding this comment.
Same as previous casting comments on unconditional v. checked casts.
I counted 792 fields in ECS 1.10.0 Diff is: |
leehinman
changed the title
|
This pull request is now in conflicts. Could you fix it? 🙏 |
leehinman
force-pushed
the
beats_ecs_1.11
branch
from
784ac35 to
e951ec8
Compare
|
@jsoriano & @kaiyan-sheng could you take a look at the changes to kubernetes & nomad autodiscover and add_metadata processors in this PR. It is a start to adding the orchestrator fields, and I'd really like a sanity check. |
There was a problem hiding this comment.
Reviewed the nomad and kubernetes parts, added some comments about the types used, and also about possible interactions with the code that adds orchestrator.cluster.name/url fields in some cases.
As there can be more discussion in these parts, I would suggest to move them to a different PR if you want to move forward the upgrade of ECS.
ccing @MichaelKatsoulis for the kubernetes changes too.
| taskName, err := meta.GetValue("nomad.task.name") | ||
| if err == nil { | ||
| orchestrator.Put("resource.name", taskName) | ||
| orchestrator.Put("resource.type", "task") |
There was a problem hiding this comment.
Events are generated at the allocation level, that is one level more specific than tasks (job -> task -> allocation), so I wonder if we should use allocations here instead of tasks.
For example, with filebeat, for a job with an nginx task in a task group with multiple instances I have events with:
"nomad": {
"allocation": {
"id": "afb658cf-5a5f-aeef-8fa7-0755906919d1",
"status": "running",
"name": "redis.server[0]"
},
...
"job": {
"name": "redis",
"type": "service"
},
"task": {
"name": "nginx",
"service": {
...
And:
"nomad": {
"allocation": {
"status": "running",
"name": "redis.server[1]",
"id": "feeddc6b-6f28-0cb6-8351-9dfec5dfcaac"
},
"job": {
"name": "redis",
"type": "service"
},
"region": "global",
"task": {
"name": "nginx",
"service": {
...
| if err == nil { | ||
| orchestrator.Put("namespace", namespace) | ||
| } | ||
|
|
There was a problem hiding this comment.
Interestingly add_nomad_metadata doesn't collect task-level metadata, this should be probably improved. But it collects allocation metadata, I think we should use this information if we want to fill type and name (in coherence with my other comment).
An example of the nomad metadata collected by add_nomad_metadata:
"nomad": {
"region": "global",
"allocation": {
"id": "feeddc6b-6f28-0cb6-8351-9dfec5dfcaac",
"status": "running",
"name": "redis.server[1]"
},
"job": {
"name": "redis",
"type": "service"
},
"namespace": "default",
"datacenter": [
"dc1"
]
},
| @@ -383,6 +383,7 @@ func (p *pod) containerPodEvents(flag string, pod *kubernetes.Pod, c *containerI | |||
| if len(namespaceAnnotations) != 0 { | |||
| kubemeta["namespace_annotations"] = namespaceAnnotations | |||
| } | |||
| orchestrator := genOrchestratorFields(kubemeta, "pod") | |||
There was a problem hiding this comment.
Events here are emitted at the container level, should we use the container fields instead?
| "meta": meta, | ||
| "orchestrator": orchestrator, |
There was a problem hiding this comment.
I think that to actually enrich the events, the new fields should be set in meta. I think that the other fields are used only in autodiscover (for templates, conditions and so on) but don't end up in the final documents. (But not 100% sure, I always get confused by that).
| @@ -435,14 +437,16 @@ func (p *pod) podEvent(flag string, pod *kubernetes.Pod, ports common.MapStr, in | |||
| if len(namespaceAnnotations) != 0 { | |||
| kubemeta["namespace_annotations"] = namespaceAnnotations | |||
| } | |||
| orchestrator := genOrchestratorFields(kubemeta, "pod") | |||
There was a problem hiding this comment.
Kubernetes autodiscover provider can discover different kinds of resources, depending on the resource setting. When resource: service is used, it will collect events from services, and then I think it is fine to use orchestrator.resource.type: service there, but here it is discovering pods and containers, so I think that it is ok to use pod.
| event.Fields.DeepUpdate(kubeMeta) | ||
| event.Fields.DeepUpdate(orchestrator) |
There was a problem hiding this comment.
When beats are run in GKE, add_cloud_metadata adds the orchestrator.cluster.name/url fields, but I think that only if the orchestrator field doesn't exist (unless fields are flattened when they reach here). We will have to check how well both things play together.
Same problem may exist with the autodiscover provider.
For context, the name/url fields were added in #26056 and #26438.
There was a problem hiding this comment.
@jsoriano Thank you for reviewing. And you've verified my suspicion that I should pull the orchestrator parts out and do that is a separate PR.
leehinman
force-pushed
the
beats_ecs_1.11
branch
3 times, most recently
from
6c45afc to
a811822
Compare
|
This pull request is now in conflicts. Could you fix it? 🙏 |
- fields.ecs.yml to ECS 1.11.0-dev - bump ecs.version in configs for modules that don't require changes. Relates elastic#26967
- kubernetes - nomad
will do as separate PR
leehinman
force-pushed
the
beats_ecs_1.11
branch
from
a811822 to
0df0ce5
Compare
|
This PR breaks compatibility with older ES versions (tested with apm-server), which are not supporting update:
|
Thanks for catching this. |
What does this PR do?
Why is it important?
Checklist
- [ ] I have commented my code, particularly in hard-to-understand areas- [ ] I have made corresponding changes to the documentation- [ ] I have made corresponding change to the default configuration filesCHANGELOG.next.asciidocorCHANGELOG-developer.next.asciidoc.How to test this PR locally
Related issues