-
Notifications
You must be signed in to change notification settings - Fork 8.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[logging] Use Elastic Common Schema (ECS) #52226
Comments
Pinging @elastic/kibana-operations (Team:Operations) |
We may need to coordinate here between Operations and Platform. We are currently working on moving to a new logging configuration that more closely matches Elasticsearch's config (#41956). I don't anticipate any conflicts here, I think we'll just need to change the @restrry anything else we should consider here? |
@tylersmalley do you know if elasticsearch already adopted ECS format for JSON layout?
I can see Also, I have some questions regarding the Log ECS format https://www.elastic.co/guide/en/ecs/current/ecs-log.html
we need to go through the list of ECS fields to understand how they are matched to the existing format. We might have to add some helpers to formalize what type of data we expect to be passed to the logger. For example for HTTP log record with the format https://www.elastic.co/guide/en/ecs/current/ecs-http.html: interface HttpLogRecord {
request: {
body: {
bytes: number;
content: string;
};
bytes: number;
method: HttpMethod;
referrer: string;
// ...
}
log.info(message: string, meta: HttpLogRecord | Record<string, any>) Right now it looks like another breaking change in the logging format. It should be done before GA of NP logging config. |
@jbudz Do you have questions about this issue? After that we can start reformatting existing logs to ECS naming format: |
as of 8.0. There's an option to fallback to the older json format.
yes the log properties would be prefixed,
circling back on this for a full example. i believe there's room for interpretation, but generally they'll be separate. http events would be one log entry separate from status events
on it - combining this with the previous question, i'll add a group by group example for review/discussion |
@jbudz just for reference: elasticsearch doesn't define a specific type of serializable object passed to logs, but |
This is going to evolve over time so I'm going to reopen this for discussions.
There's no end users of the logger yet (the new platform logger in general). I'll be taking a first pass with elasticsearch query logging, and audit logging will probably be a parallel effort. This is going to overlap with other logging tasks e.g. log sanitization. For now, the API is log(message, ecs_fields.) ECS fields are optional, and each entry will get a timestamp, pid, log level. I'm hoping to keep the top level API the same but the internals are going to evolve. Here's a general list of additions:
|
|
Ah as in by default each log will message will include....will include fields x y and z and we can probabbly extend it to log subclasses too |
@jbudz any progress with this? |
There was a commit merged recently which did 1 and 2 (not from me), and 3 makes sense with an implementation. We can reopen this or go for specifics in a new issue, but going to close this for now. |
@jbudz could you link the PR? I don't see it's fixed.
uses kibana/src/core/server/logging/layouts/json_layout.test.ts Lines 99 to 104 in ab92bbb
uses
Could you elaborate on |
I opened #86330 for the lodash merge fix. Apologies, at one point I had a PR up that had merge conflicts on the imports and I must have wrongly followed the thread. How do you feel about |
Since everything is moving to https://github.com/elastic/ecs and we're looking to ingest logs into Elasticsearch, we should use 8.0 as a chance to migrate to ECS by default. Before 8.0, this format could be opt-in. So, the JSON output would be in ECS format.
The text was updated successfully, but these errors were encountered: