Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Winlog] Can't modify Dataset Name / event.dataset not conforming to ECS #5239

Merged
merged 7 commits into from
Feb 16, 2023
Merged

[Winlog] Can't modify Dataset Name / event.dataset not conforming to ECS #5239

merged 7 commits into from
Feb 16, 2023

Conversation

nicpenning
Copy link
Contributor

@nicpenning nicpenning commented Feb 10, 2023
edited
Loading

  • Bug

What does this PR do?

Integration Impacted: Custom Windows Event Logs integration

image
Screenshot of default Dataset name

Currently, the event.dataset is set to a constant_keyword which prevents anyone from changing the dataset in the custom windows integration. This should be a keyword to conform to ECS and allow anyone to modify the dataset in the integration as it is provided today.

If you change winlog.winlog to anything this will likely error.

Preview of field's value: 'windows.applocker'", "caused_by"=>{"type"=>"illegal_argument_exception", "reason"=>"[constant_keyword] field [event.dataset] only accepts values that are equal to the value defined in the mappings [winlog.winlog], but got [windows.applocker]"}}}}}

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.

Screenshots

image

@nicpenning nicpenning requested a review from a team as a code owner February 10, 2023 21:44
@nicpenning nicpenning changed the title Use ECS version of event.dataset instead of base [Winlog] Use ECS version of event.dataset instead of base Feb 10, 2023
@elasticmachine
Copy link

elasticmachine commented Feb 10, 2023
edited
Loading

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS
Pipeline View Test View Changes Artifacts preview preview

Expand to view the summary

Build stats

  • Start Time: 2023-02-16T00:40:27.362+0000

  • Duration: 15 min 24 sec

Test stats 🧪

Test Results
Failed 0
Passed 2
Skipped 0
Total 2

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

  • /test : Re-trigger the build.

@nicpenning nicpenning changed the title [Winlog] Use ECS version of event.dataset instead of base [Winlog] Can't modify Dataset Name / event.dataset not conforming to ECS Feb 11, 2023
@elasticmachine
Copy link

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

andrewkroh
andrewkroh approved these changes Feb 15, 2023
View reviewed changes
Copy link
Member

@andrewkroh andrewkroh left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. The fact that Elastic Agent is always setting event.dataset seems risky (and wasteful of storage) given that almost all integrations use a constant_keyword with static value.

@nicpenning
Copy link
Contributor Author

Awesome 👌🏻

@andrewkroh
Copy link
Member

andrewkroh commented Feb 16, 2023
edited
Loading

[2023-02-15T23:26:09.700Z] Error: checking package failed: checking readme files are up-to-date failed: files do not match

CI says the readme needs rebuilt. Can you please run elastic-package build and commit the updated file.

@elasticmachine
Copy link

🌐 Coverage report

Name Metrics % (covered/total) Diff
Packages 100.0% (0/0) 💚
Files 100.0% (0/0) 💚
Classes 100.0% (0/0) 💚
Methods 66.667% (2/3)
Lines 100.0% (0/0) 💚
Conditionals 100.0% (0/0) 💚

@andrewkroh andrewkroh merged commit 69e892e into elastic:main Feb 16, 2023
@elasticmachine
Copy link

Package winlog - 1.12.1 containing this change is available at https://epr.elastic.co/search?package=winlog

@nicpenning
Copy link
Contributor Author

Thanks for running that for me and reviewing this!

@nicpenning nicpenning deleted the patch-2 branch February 16, 2023 01:40
bhapas pushed a commit to bhapas/integrations that referenced this pull request Feb 16, 2023
@nicpenning @bhapas
[winlog] make event.dataset a keyword instead of constant_keyword (el…
5a419a7 
…astic#5239)

The event.dataset is set to a constant_keyword which prevents anyone from changing the dataset in the custom windows integration.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@andrewkroh andrewkroh andrewkroh approved these changes

Assignees
No one assigned
Labels
Integration:Custom Windows Events
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@nicpenning @elasticmachine @andrewkroh @jamiehynds