Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

field collisions with organization.id & elastic maintained integrations #2250

Open
neu5ron opened this issue Aug 4, 2023 · 0 comments
Open

field collisions with organization.id & elastic maintained integrations #2250

neu5ron opened this issue Aug 4, 2023 · 0 comments
Labels
bug Something isn't working

Comments

@neu5ron
Copy link

neu5ron commented Aug 4, 2023

Description of the issue:
organization.id is a common field that can be used in multi-tenant environments. However, there are multiple elastic managed pipelines (o365 audit, cisco meraki, google workspace, zscaler, and possibly more)
that try to set organization.id and fails if the organization.id already exists. It should be noted in the ECS documentation to not set this field upfront or pipelines should be changed. i will create an integrations bug report (which is where those pipelines are maintained).

reference o365audit pipeline
https://github.com/elastic/integrations/blob/b50c74066d3cca005259bcfccd7543b9dc4a107b/packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml#L73

https://www.elastic.co/guide/en/ecs/current/ecs-organization.html#field-organization-id

Any additional context or examples:
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@neu5ron