system package using invalid field values according to ECS

[jsoriano]

[0] parsing field value failed: field "event.type"'s value "authentication_success" is not one of the allowed values (access, admin, allowed, change, connection, creation, deletion, denied, end, error, group, indicator, info, installation, protocol, start, user)
[0] parsing field value failed: field "event.type"'s value "authentication_failure" is not one of the allowed values (access, admin, allowed, change, connection, creation, deletion, denied, end, error, group, indicator, info, installation, protocol, start, user)

"authentication_failure" => "denied"? or "access", and use "event.outcome" to indicate the failure?

Part of #3016

[jsoriano]

@jlind23 I see this has been planned for 8.5 timeline, but this shouldn't be a big change, could this be done earlier? Or do you expect this change to have a big impact in this case?

This is blocking elastic/elastic-package#771, the later we introduce this kind of validations the bigger is the risk to have more invalid values as the ones identified in #3016.

Thanks!

[jsoriano]

I think that the problem is in the values set in this script:

integrations/packages/system/data_stream/auth/elasticsearch/ingest_pipeline/default.yml

Line 132 in 860c837

- script:

[jlind23]

@jsoriano let me then try to find someone for a quick fix in order to make it land before 8.5.

[jsoriano]

Thanks!

[belimawr]

PR created, I'm just not quite sure how to test it against the ECS.

[jsoriano]

You can try something this:

go mod edit -replace github.com/elastic/elastic-package=github.com/jsoriano/elastic-package@check-allowed-values
go mod tidy
go run github.com/elastic/elastic-package test