Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Filebeat] user_agent field errors with Filebeat 7 and Elasticsearch 6 #10655

Closed
andrewkroh opened this issue Feb 9, 2019 · 3 comments
Closed

[Filebeat] user_agent field errors with Filebeat 7 and Elasticsearch 6 #10655

andrewkroh opened this issue Feb 9, 2019 · 3 comments
Assignees
@jsoriano
Labels
blocker bug ecs Filebeat Filebeat Team:Integrations Label for the Integrations team v7.0.0

Comments

@andrewkroh
Copy link
Member

The Suricata modules's ingest pipeline fails due to changes (elastic/elasticsearch#37329) in the user_agent processor in ES ingest node. I suspect other modules are affected by this problem.

  • {"type":"mapper_parsing_exception","reason":"object mapping for [user_agent.os] tried to parse field [os] as object, but found a concrete value"}
  • {"type":"mapper_parsing_exception","reason":"object mapping for [user_agent.device] tried to parse field [device] as object, but found a concrete value"}

In order to make the ES 6.x user_agent processor's output compatible with the Filebeat template we need to add some renames/sets after the user_agent in the pipeline.
@ruflin
Copy link
Contributor

ruflin commented Feb 11, 2019
edited
Loading

Elasticsearch 6.6 / 6.7 has a config option ecs: enabled for the user_agent. Adding these would create the same data structure. The problem here is that this flag is deprecated in 7.x, meaning if we add it we keep deprecated log messages. It will also mean Filebeat 7.x is only compatible with Elasticsearch 6.6 / 6.7.

This is also related to: #10650

@ruflin ruflin mentioned this issue Feb 11, 2019
Closed
@ruflin ruflin added blocker Team:Integrations Label for the Integrations team v7.0.0 labels Feb 11, 2019
@andrewkroh
Copy link
Member Author

In order to allow Filebeat 7.x remain compatible with Elasticsearch 6.x, Filebeat would need to dynamically inject ecs: true into the pipelines that it creates (for ES 6.x only). Otherwise the data produced by the user_agent processor will not be compatible with the mapping used in Filebeat 7.

@jsoriano jsoriano mentioned this issue Feb 21, 2019
Merged
@jsoriano
Copy link
Member

In order to allow Filebeat 7.x remain compatible with Elasticsearch 6.x, Filebeat would need to dynamically inject ecs: true into the pipelines that it creates (for ES 6.x only). Otherwise the data produced by the user_agent processor will not be compatible with the mapping used in Filebeat 7.

@andrewkroh thanks for this suggestion, I am giving a try to this idea in #10875. I have seen that ecs option is not available in in Elasticsearch 6.6, so Filebeat 7 pipelines with user_agent will only be compatible with 6.7. As you mentioned this issue affects all modules using user_agent processor.

jsoriano added a commit that referenced this issue Feb 25, 2019
@jsoriano
Force ECS options in filebeat pipelines when filebeat version is over…
34eaf57 
… 7.0 and ES version is 6.7.X (#10875)

When using the `user_agent` processor to ingest data from Filebeat 7.0
into Elasticsearch 6.X conflicts appear with ECS user_agent fields, this can
be solved by setting `ecs: true` when pipelines are being loaded into
Elasticsearch 6.7.0.

For minor versions where `ecs` option is not available, pipelines will fail
to load.

Fix #10655
jsoriano added a commit to jsoriano/beats that referenced this issue Feb 25, 2019
@jsoriano
Force ECS options in filebeat pipelines when filebeat version is over…
ef7742f 
… 7.0 and ES version is 6.7.X (elastic#10875)

When using the `user_agent` processor to ingest data from Filebeat 7.0
into Elasticsearch 6.X conflicts appear with ECS user_agent fields, this can
be solved by setting `ecs: true` when pipelines are being loaded into
Elasticsearch 6.7.0.

For minor versions where `ecs` option is not available, pipelines will fail
to load.

Fix elastic#10655

(cherry picked from commit 34eaf57)
@jsoriano jsoriano mentioned this issue Feb 25, 2019
Merged
jsoriano added a commit that referenced this issue Feb 25, 2019
@jsoriano
Force ECS options in filebeat pipelines when filebeat version is over…
79c38b6 
… 7.0 and ES version is 6.7.X (#10875) (#10930)

When using the `user_agent` processor to ingest data from Filebeat 7.0
into Elasticsearch 6.X conflicts appear with ECS user_agent fields, this can
be solved by setting `ecs: true` when pipelines are being loaded into
Elasticsearch 6.7.0.

For minor versions where `ecs` option is not available, pipelines will fail
to load.

Fix #10655

(cherry picked from commit 34eaf57)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jsoriano jsoriano

Labels
blocker bug ecs Filebeat Filebeat Team:Integrations Label for the Integrations team v7.0.0
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jsoriano @ruflin @andrewkroh