Update to ECS 8.0 #28620
Update to ECS 8.0 #28620
Conversation
adriansr
added
enhancement
in progress
botelastic
bot
added
needs_team
mergify
bot
added
the
backport-skip
💚 Build Succeeded
Expand to view the summary
Build stats
Test stats 🧪
💚 Flaky test reportTests succeeded. 🤖 GitHub commentsTo re-run your PR in the CI, just comment with:
|
|
/test |
|
Pinging @elastic/integrations (Team:Integrations) |
|
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
adriansr
added
review
and removed
in progress
adriansr
changed the title
|
This pull request is now in conflicts. Could you fix it? 🙏 |
There was a problem hiding this comment.
Nothing standing out from my point. Checked that each beat has the updated versions applied, checked that the ingest pipelines included in the commit is updated properly, and the expected output looks good.
Did not pull it down to check if there was any more files that should have been added. If we feel that is required I can do that as well.
Just some small comments from my side, then LGTM.
| -------------------------------------------------------------------------------- | ||
| Dependency : github.com/elastic/ecs |
There was a problem hiding this comment.
Is this part totally removed now, or is it just github that messes it up?
There was a problem hiding this comment.
Yes, it's removed because it's not available anymore in the ECS repo. We could have left the dependency pointing to v1.12 but eventually they could diverge, forcing us to fork anyway.
| @@ -62,7 +62,6 @@ require ( | |||
| github.com/dustin/go-humanize v1.0.0 | |||
| github.com/eapache/go-resiliency v1.2.0 | |||
| github.com/eclipse/paho.mqtt.golang v1.3.5 | |||
| github.com/elastic/ecs v1.12.0 | |||
There was a problem hiding this comment.
Are we completely removing it as a dependency? From my understanding I think we are, just making sure.
|
This pull request is now in conflicts. Could you fix it? 🙏 |
Replace process.ppid with process.parent.pid
This is a better mapping for the `msg` rsa2elk field that was mapped to log.original.
adriansr
added
backport-v8.0.0
|
@Mergifyio refresh |
Updates the ECS field definitions to the current master (8.0-dev). - add_process_metadata processor: Replace usage of deprecated `process.ppid` field with `process.parent.pid`. - add_docker_metadata processor: Replace usage of deprecated `process.ppid` field with `process.parent.pid`. - Auditbeat: Replace usage of deprecated `process.ppid` field with `process.parent.pid`. - Auditbeat system/process metricset: Replace usage of deprecated `process.ppid` field with `process.parent.pid`. - Filebeat all modules: Replace usages of deprecated ECS fields `process.ppid` and `log.original` with `process.parent.pid` and `event.original`. - Filebeat: Replace usages of `host.user.*` fields with `user.*` in `cisco`, `microsoft` and `oracle` modules. - Packetbeat http: The field `http.request.method` will maintain its original case. Co-authored-by: Marc Guasch <marc-gr@users.noreply.github.com> (cherry picked from commit dde7a1f) # Conflicts: # x-pack/filebeat/module/cisco/ios/test/cisco-ios-syslog.log-expected.json # x-pack/filebeat/module/iptables/log/test/geo.log-expected.json # x-pack/filebeat/module/panw/panos/test/global_protect.log-expected.json # x-pack/filebeat/module/panw/panos/test/hipmatch.log-expected.json # x-pack/filebeat/module/panw/panos/test/pan_inc_other.log-expected.json # x-pack/filebeat/module/panw/panos/test/pan_inc_threat.log-expected.json # x-pack/filebeat/module/panw/panos/test/pan_inc_traffic.log-expected.json # x-pack/filebeat/module/panw/panos/test/pan_inc_traffic_ietf.log-expected.json # x-pack/filebeat/module/panw/panos/test/traffic.log-expected.json # x-pack/filebeat/module/sonicwall/firewall/test/general.log-expected.json # x-pack/filebeat/module/sophos/utm/test/generated.log-expected.json # x-pack/filebeat/module/squid/log/test/access1.log-expected.json
✅ Pull request refreshed |
Updates the ECS field definitions to the current master (8.0-dev). - add_process_metadata processor: Replace usage of deprecated `process.ppid` field with `process.parent.pid`. - add_docker_metadata processor: Replace usage of deprecated `process.ppid` field with `process.parent.pid`. - Auditbeat: Replace usage of deprecated `process.ppid` field with `process.parent.pid`. - Auditbeat system/process metricset: Replace usage of deprecated `process.ppid` field with `process.parent.pid`. - Filebeat all modules: Replace usages of deprecated ECS fields `process.ppid` and `log.original` with `process.parent.pid` and `event.original`. - Filebeat: Replace usages of `host.user.*` fields with `user.*` in `cisco`, `microsoft` and `oracle` modules. - Packetbeat http: The field `http.request.method` will maintain its original case. (cherry picked from commit dde7a1f) Co-authored-by: Marc Guasch <marc-gr@users.noreply.github.com> Co-authored-by: Adrian Serrano <adrisr83@gmail.com>
What does this PR do?
Updates the ECS field definitions to the current master (8.0-dev).
Why is it important?
To use the latest version of ECS.
Breaking changes
log.original(@adriansr)process.ppid(@adriansr)host.user.*field reuse (@adriansr)- [ ] Remove deprecation notice fromhttp.request.method(@marc-gr)- [ ] Migratelog.origin.file.linefield type fromintegertolong(@marc-gr)Added
- [ ] Function as a Service fields (Beta) (@marc-gr)Improvements
- [ ] Wildcard type field migration stage 3 (GA)- [ ]match_only_textfield type migration stage 3 (GA)- [ ] Threat indicator fields stage 3 (GA) (@marc-gr)* Changes to TI fields are on hold, as Beats don't use the threat.* fields from ECS.Note to reviewers
All
liblogparser.jsfiles include the same changes (same file):