updated ECS version to 8.3 and added missing mappings to process inde… #280
Conversation
|
The mappings seem to appear in the generated output, but when I ran make run-registry, they never got updated on my local ES. Kibana is talking to the local registry server fine, but yea. Not sure if I missed something. Thanks. |
💚 Build Succeeded
Expand to view the summary
Build stats
🤖 GitHub commentsTo re-run your PR in the CI, just comment with:
|
|
/test |
|
Looking further I notice the new fields appear in the "/endpoint-package/out/schema/linux_event_model_event/generated/beats/fields.ecs.yml" file, but not in /endpoint-package/package/endpoint/data_stream/process/fields/fields.yml |
| "42:01:0a:c9:00:22" | ||
| "00-00-5E-00-53-23" |
There was a problem hiding this comment.
cc @ferullo is Endpoint sending macs in this new format now?
|
@mitodrummer the endpoint package |
|
@pzl Not having these changes breaks our K8s Dashboard. We assumed that endpoint-package 8.4.0 would have ECS 8.3.x fields, but it doesn't seem to be the case. Is there any way we can get these changes into 8.4.0? |
|
Are there additional fields that were intended to be added in this PR? The only actual mapping changes I see are the addition of these fields: [process]
Are these all the ECS 8.3 fields we are talking about that needed to be added here? The endpoint package For reference for future cycles, we need mapping changes earlier in the release cycle if we want to time them with stack release. The package feature-freeze will soon be at least at the same time as stack feature freeze, if not earlier, so that testing can commence during the freeze period (and earlier) |
|
Yes, these are ECS 8.3. |
|
There was an assumption here that 8.n will have all the content from 8.n-1 release. We should've checked it in time, but I think we should also try to keep endpoint package up-to-date with (at-least) n-1 release, otherwise we should get rid of the matching release numbers, they keep causing confusion :) |
|
The endpoint package does not automatically pull in ECS changes for each release. Any fields that need to be added for a given release must have an explicit PR adding them. I don't believe there are plans to have the mappings change each release without specific intent. For instance, in this case, if we were to update the ECS tag to |
|
ah, I see. Are you suggesting that we can release EPP 8.4.1 before 8.4.0 stack release to workaround this? |
|
Yes, we will release package 8.4.1 as soon as this PR (and #276) are merged. If there are additional changes to merge or bugs to fix (e.g. perhaps a field typo in this PR) we will cut as many patch releases as needed before the stack 8.4.0 release |
|
@lrishi @zizhouW @mitodrummer @norrietaylor I just had a quick call with @pzl out-of-band to educate myself on timing. Thank you, @pzl, for helping me understand the release cadence between endpoint-package and the stack release. The endpoint-package release is a less formal process which can be kicked off by @pzl at any time. There's confusion that 8.4.1 package release has any association with 8.4.1 stack release. The major and minor versions of the package release will be associated with the major and minor versions of the stack release. e.g. 8.4.0 stack release can be associated with 8.4.999 of the package release. What it boils down to is that this change most likely will be included within the next package release, e.g. 8.4.1 and will go out BEFORE the 8.4.0 stack release. @pzl can make this happen. - thank you again. From my side, there are no concerns here. We will get this change in very soon, and it will get published before our 8.4.0 stack release. |
|
Awesome, thanks everyone |
…x for k8s fields
Change Summary
This PR bumps the targeted ECS version to 8.3.1.
The following mappings should now be present on the process datastream template:
Release Target
8.4
Q/A
For mapping changes:
makeafter making the schema changes, and committed all changes