Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Alerting] add ECS 1.4/1.5 updates to event log schema #61891

Closed
pmuellr opened this issue Mar 30, 2020 · 2 comments · Fixed by #64389
Closed

[Alerting] add ECS 1.4/1.5 updates to event log schema #61891

pmuellr opened this issue Mar 30, 2020 · 2 comments · Fixed by #64389
Assignees
Labels
Feature:Alerting Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams)

Comments

@pmuellr
Copy link
Member

pmuellr commented Mar 30, 2020

The event log for alerting is currently based on ECS 1.3.1. Since that original work was done, ECS is now at version 1.5. We should do a little work to figure out what additional fields we might be able to make use of.

A quick perusal yields event.outcome as something we likely want to add, for action and alert execution event docs - to indicate success and failure. Currently I believe we create an error.message when the functions hit errors, and do not create that field when the functions run without errors.

There may be some additional goodies in here ...

@pmuellr pmuellr added Feature:Alerting Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams) labels Mar 30, 2020
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-alerting-services (Team:Alerting Services)

@pmuellr pmuellr self-assigned this Apr 24, 2020
@pmuellr
Copy link
Member Author

pmuellr commented Apr 24, 2020

We upgraded to ECS 1.5, the most current version ATM, a few weeks ago as part of a different PR.

I re-checked the ECS fields, found a new interesting one event.outcome. Value of success, failure, or unknown. This is nice, as the only way we have of determining an error for an alert or action execution is via having an error.message field set to any value. Having something a little more direct is nice. I'll add that field, and set it in the action and alert executors.

pmuellr added a commit to pmuellr/kibana that referenced this issue Apr 24, 2020
resolves elastic#61891

Adds a relatively new ECS field `event.outcome`. Value of `success`, `failure`,
or `unknown`. This is nice, as the only way we have currently of determining an
error for an alert or action execution in the log is the existence of an
`error.message` field.  It is added to to the documents for those events.

see: https://www.elastic.co/guide/en/ecs/current/ecs-event.html
pmuellr added a commit that referenced this issue Apr 28, 2020
resolves #61891

Adds a relatively new ECS field `event.outcome`. Value of `success`, `failure`,
or `unknown`. This is nice, as the only way we have currently of determining an
error for an alert or action execution in the log is the existence of an
`error.message` field.  It is added to to the documents for those events.

see: https://www.elastic.co/guide/en/ecs/current/ecs-event.html
pmuellr added a commit to pmuellr/kibana that referenced this issue Apr 28, 2020
…c#64389)

resolves elastic#61891

Adds a relatively new ECS field `event.outcome`. Value of `success`, `failure`,
or `unknown`. This is nice, as the only way we have currently of determining an
error for an alert or action execution in the log is the existence of an
`error.message` field.  It is added to to the documents for those events.

see: https://www.elastic.co/guide/en/ecs/current/ecs-event.html
pmuellr added a commit that referenced this issue Apr 28, 2020
#64616)

resolves #61891

Adds a relatively new ECS field `event.outcome`. Value of `success`, `failure`,
or `unknown`. This is nice, as the only way we have currently of determining an
error for an alert or action execution in the log is the existence of an
`error.message` field.  It is added to to the documents for those events.

see: https://www.elastic.co/guide/en/ecs/current/ecs-event.html
@kobelb kobelb added the needs-team Issues missing a team label label Jan 31, 2022
@botelastic botelastic bot removed the needs-team Issues missing a team label label Jan 31, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Feature:Alerting Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams)
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants