Skip to content

[Zeek Radius] Add ECS compliance for event.outcome field in RADIUS data stream and add tunnel_client field support#17306

Merged
haetamoudi merged 7 commits intoelastic:mainfrom
haetamoudi:26613-zeek-radius-integration-ecs-compliance-for-field-eventoutcome
Apr 15, 2026
Merged

[Zeek Radius] Add ECS compliance for event.outcome field in RADIUS data stream and add tunnel_client field support#17306
haetamoudi merged 7 commits intoelastic:mainfrom
haetamoudi:26613-zeek-radius-integration-ecs-compliance-for-field-eventoutcome

Conversation

@haetamoudi
Copy link
Copy Markdown
Contributor

@haetamoudi haetamoudi commented Feb 9, 2026

Proposed commit message

Add ECS compliance for event.outcome field in RADIUS data stream and add tunnel_client field support

Zeek docs

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

Related issues

Fixes https://github.com/elastic/enhancements/issues/26613

Screenshots

@haetamoudi haetamoudi requested a review from a team as a code owner February 9, 2026 10:50
@haetamoudi haetamoudi added the enhancement New feature or request label Feb 9, 2026
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Feb 9, 2026

✅ Vale Linting Results

No issues found on modified lines!


The Vale linter checks documentation changes against the Elastic Docs style guide.

To use Vale locally or report issues, refer to Elastic style guide for Vale.

@elastic-vault-github-plugin-prod
Copy link
Copy Markdown

elastic-vault-github-plugin-prod bot commented Feb 9, 2026

🚀 Benchmarks report

Package zeek 👍(27) 💚(9) 💔(7)

Expand to view
Data stream Previous EPS New EPS Diff (%) Result
known_services 52631.58 43478.26 -9153.32 (-17.39%) 💔
pe 30303.03 21276.6 -9026.43 (-29.79%) 💔
smb_mapping 45454.55 38461.54 -6993.01 (-15.38%) 💔
dce_rpc 18518.52 12195.12 -6323.4 (-34.15%) 💔
dhcp 32258.06 20000 -12258.06 (-38%) 💔
dns 30303.03 18867.92 -11435.11 (-37.74%) 💔
ftp 41666.67 29411.76 -12254.91 (-29.41%) 💔

To see the full report comment with /test benchmark fullreport

@andrewkroh andrewkroh added documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. Team:Integration-Experience Security Integrations Integration Experience [elastic/integration-experience] labels Feb 9, 2026
@elasticmachine
Copy link
Copy Markdown

Pinging @elastic/integration-experience (Team:Integration-Experience)

@qcorporation
Copy link
Copy Markdown
Contributor

@haetamoudi this looks ok - do you know if customers would build rules off of the existing wrong behaviour, where event.outcome=failed. Could this break alerts?

cc. @taylor-swanson just to get some eyes

@taylor-swanson
Copy link
Copy Markdown
Contributor

@haetamoudi this looks ok - do you know if customers would build rules off of the existing wrong behaviour, where event.outcome=failed. Could this break alerts?

cc. @taylor-swanson just to get some eyes

It probably will. For that reason, this should be a breaking change.

Copy link
Copy Markdown
Contributor

@taylor-swanson taylor-swanson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Comment thread packages/zeek/changelog.yml Outdated
Comment thread packages/zeek/changelog.yml Outdated
Comment thread packages/zeek/manifest.yml Outdated
haetamoudi and others added 3 commits February 11, 2026 08:35
Co-authored-by: Taylor Swanson <90622908+taylor-swanson@users.noreply.github.com>
Co-authored-by: Taylor Swanson <90622908+taylor-swanson@users.noreply.github.com>
Co-authored-by: Taylor Swanson <90622908+taylor-swanson@users.noreply.github.com>
Copy link
Copy Markdown
Contributor

@taylor-swanson taylor-swanson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@qcorporation, @haetamoudi, does the breaking change committee need to be notified about this?

@haetamoudi
Copy link
Copy Markdown
Contributor Author

@taylor-swanson I did not know about the breaking change committee.. is there an official process defined somewhere?

@botelastic
Copy link
Copy Markdown

botelastic bot commented Mar 14, 2026

Hi! We just realized that we haven't looked into this PR in a while. We're sorry! We're labeling this issue as Stale to make it hit our filters and make sure we get back to it as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1. Thank you for your contribution!

@botelastic botelastic bot added the Stalled label Mar 14, 2026
@taylor-swanson
Copy link
Copy Markdown
Contributor

@haetamoudi , if this has been approved by the breaking change committee, can we go ahead and merge this (after resolving the conflicts)?

@botelastic botelastic bot removed the Stalled label Apr 10, 2026
@elasticmachine
Copy link
Copy Markdown

💚 Build Succeeded

History

@haetamoudi haetamoudi merged commit b47ae05 into elastic:main Apr 15, 2026
11 checks passed
@elastic-vault-github-plugin-prod
Copy link
Copy Markdown

Package zeek - 5.0.0 containing this change is available at https://epr.elastic.co/package/zeek/5.0.0/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. enhancement New feature or request Integration:zeek Zeek Team:Integration-Experience Security Integrations Integration Experience [elastic/integration-experience]

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants