-
Notifications
You must be signed in to change notification settings - Fork 4.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Filebeat] Module incompatibility with older ES/Kibana versions #26629
Comments
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
To ensure compatibility with Elasticsearch versions <7.13 this removes usage of `copy_from` in `set` processors. Relates elastic#26629
While we wait to make a decision I opened #26631 to get a quick fix for |
* Replace copy_from with templated value To ensure compatibility with Elasticsearch versions <7.13 this removes usage of `copy_from` in `set` processors. Relates #26629 * panw: replace copy_from usage with script Replaces the usage of a set processor with copy_from (ES 7.13+) with a painless script that performs the same operation and it's backwards compatible. * cyberarkpas: Replace usage of copy_from with script This updates the ID-mapping script to set fields instead of constructing and op-list that is latter processed with foreach/set. * Update CHANGELOG.next.asciidoc Co-authored-by: Adrian Serrano <adrisr83@gmail.com> Co-authored-by: Adrian Serrano <adrisr83@gmail.com>
* Replace copy_from with templated value To ensure compatibility with Elasticsearch versions <7.13 this removes usage of `copy_from` in `set` processors. Relates #26629 * panw: replace copy_from usage with script Replaces the usage of a set processor with copy_from (ES 7.13+) with a painless script that performs the same operation and it's backwards compatible. * cyberarkpas: Replace usage of copy_from with script This updates the ID-mapping script to set fields instead of constructing and op-list that is latter processed with foreach/set. * Update CHANGELOG.next.asciidoc Co-authored-by: Adrian Serrano <adrisr83@gmail.com> Co-authored-by: Adrian Serrano <adrisr83@gmail.com> (cherry picked from commit a7b0110) # Conflicts: # x-pack/filebeat/module/panw/panos/ingest/pipeline.yml # x-pack/filebeat/module/threatintel/abuseurl/ingest/pipeline.yml # x-pack/filebeat/module/threatintel/anomali/ingest/pipeline.yml # x-pack/filebeat/module/threatintel/anomalithreatstream/ingest/pipeline.yml # x-pack/filebeat/module/threatintel/misp/ingest/pipeline.yml # x-pack/filebeat/module/threatintel/otx/ingest/pipeline.yml # x-pack/filebeat/module/threatintel/recordedfuture/ingest/pipeline.yml # x-pack/filebeat/module/zoom/webhook/ingest/meeting.yml
* Replace copy_from with templated value To ensure compatibility with Elasticsearch versions <7.13 this removes usage of `copy_from` in `set` processors. Relates #26629 * panw: replace copy_from usage with script Replaces the usage of a set processor with copy_from (ES 7.13+) with a painless script that performs the same operation and it's backwards compatible. * cyberarkpas: Replace usage of copy_from with script This updates the ID-mapping script to set fields instead of constructing and op-list that is latter processed with foreach/set. * Update CHANGELOG.next.asciidoc Co-authored-by: Adrian Serrano <adrisr83@gmail.com> Co-authored-by: Adrian Serrano <adrisr83@gmail.com> (cherry picked from commit a7b0110)
* Replace copy_from with templated value To ensure compatibility with Elasticsearch versions <7.13 this removes usage of `copy_from` in `set` processors. Relates #26629 * panw: replace copy_from usage with script Replaces the usage of a set processor with copy_from (ES 7.13+) with a painless script that performs the same operation and it's backwards compatible. * cyberarkpas: Replace usage of copy_from with script This updates the ID-mapping script to set fields instead of constructing and op-list that is latter processed with foreach/set. * Update CHANGELOG.next.asciidoc Co-authored-by: Adrian Serrano <adrisr83@gmail.com> Co-authored-by: Adrian Serrano <adrisr83@gmail.com> (cherry picked from commit a7b0110) Co-authored-by: Andrew Kroh <andrew.kroh@elastic.co>
* Replace copy_from with templated value To ensure compatibility with Elasticsearch versions <7.13 this removes usage of `copy_from` in `set` processors. Relates #26629 * panw: replace copy_from usage with script Replaces the usage of a set processor with copy_from (ES 7.13+) with a painless script that performs the same operation and it's backwards compatible. * cyberarkpas: Replace usage of copy_from with script This updates the ID-mapping script to set fields instead of constructing and op-list that is latter processed with foreach/set. * Update CHANGELOG.next.asciidoc Co-authored-by: Adrian Serrano <adrisr83@gmail.com> Co-authored-by: Adrian Serrano <adrisr83@gmail.com> (cherry picked from commit a7b0110)
* Replace copy_from with templated value To ensure compatibility with Elasticsearch versions <7.13 this removes usage of `copy_from` in `set` processors. Relates #26629 * panw: replace copy_from usage with script Replaces the usage of a set processor with copy_from (ES 7.13+) with a painless script that performs the same operation and it's backwards compatible. * cyberarkpas: Replace usage of copy_from with script This updates the ID-mapping script to set fields instead of constructing and op-list that is latter processed with foreach/set. * Update CHANGELOG.next.asciidoc Co-authored-by: Adrian Serrano <adrisr83@gmail.com> Co-authored-by: Adrian Serrano <adrisr83@gmail.com> (cherry picked from commit a7b0110) Co-authored-by: Andrew Kroh <andrew.kroh@elastic.co>
Adding the fact that when a module (or package/integration) has a dashboard, this dashboard can only be installed on a Kibana that runs minimum the same version as the Kibana used to export the included dashboard. That means if a dashboard has a hotfix, then suddenly that dashboard will no longer be available to any older versions of kibana (even though it might have worked before). Personally I feel we should be more strict with the versions supported, we should not be more than one minor version behind the rest of the stack, and should commonly not be newer than the rest of the stack either. There should also be some sort of Asterisk next to the versions, maybe mentioning that beat modules might require a higher minimum level for all functionality to work? |
Pinging @elastic/agent (Team:Agent) |
The support matrix has an asterisk that has a following clarification:
|
@nimarezainia Could you help by confirming that my interpretation of the support matrix is correct? Is the current requirement that Beats 7.14 be compatible with ES/Kibana 7.0? Or have I misinterpreted it. |
@nimarezainia @mostlyjason @sorantis I know you start to think about this also in the context of packages. My personal take: There are 2 layers of compatibility:
Elasticsearch output stays compatible because Elasticsearch is not expected to make breaking changes in minor. For modules we should require the same version of the stack or newer. |
The merging of #27398 will mean that Beats 7.15+ require at least Kibana 7.15 to import dashboards and Kibana index patterns. The release notes will say "Beats can only import and export dasbhboards using at least Kibana 7.15." The support matrix needs to be updating to reflect this when 7.15 is released. |
@andrewkroh this is complex as you have outlined above with many components that have their own support considerations. to begin with, these matrices need to be pruned and show only the beats versions that are currently under support (i.e > 6.8.x) then I propose that we only support two versions (current and one previous) as also mentioned above. If you look at the Endgame table that is a good example. For beats we also have this footnote: "It's highly recommended to run the same minor versions across Elasticsearch, Kibana, and Beats for best monitoring functionality." Allow me to work with @andresrc on these tables and update them and clarify accordingly. |
+1 Another issue the broad compatibility affects is the ability to upgrade to ECS 1.11 which uses the |
This changes the compatibility test for Filebeat modules to test with the previous released minor. Relates elastic#26629
…nor instead of 7.11 (elastic#28274) This changes the compatibility test for Filebeat modules to test with the previous released minor. Relates elastic#26629
In elastic#26629 the issue around running Filebeat against older version of Elasticsearch was discussed and in elastic#28274 testing against the previous minor was introduced. But since 8.0, Filebeat can only ship data to equal or newer versions of Elasticsearch. Because of this, in the tests `TESTING_FILEBEAT_ALLOW_OLDER=1` had to be introduced. I'm opening this PR to remove this testing as it is not something we support anymore.
In #26629 the issue around running Filebeat against older version of Elasticsearch was discussed and in #28274 testing against the previous minor was introduced. But since 8.0, Filebeat can only ship data to equal or newer versions of Elasticsearch. Because of this, in the tests `TESTING_FILEBEAT_ALLOW_OLDER=1` had to be introduced. I'm opening this PR to remove this testing as it is not something we support anymore.
In elastic#26629 the issue around running Filebeat against older version of Elasticsearch was discussed and in elastic#28274 testing against the previous minor was introduced. But since 8.0, Filebeat can only ship data to equal or newer versions of Elasticsearch. Because of this, in the tests `TESTING_FILEBEAT_ALLOW_OLDER=1` had to be introduced. I'm opening this PR to remove this testing as it is not something we support anymore.
Hi! We're labeling this issue as |
In #26629 the issue around running Filebeat against older version of Elasticsearch was discussed and in #28274 testing against the previous minor was introduced. But since 8.0, Filebeat can only ship data to equal or newer versions of Elasticsearch. Because of this, in the tests `TESTING_FILEBEAT_ALLOW_OLDER=1` had to be introduced. I'm opening this PR to remove this testing as it is not something we support anymore.
The Elastic support matrix indicates that the latest Filebeat 7.x version works with all 7.x versions of Elasticsearch. This is an assumption I'm making based on the table pictured below. There is a "Compatibility with Beats" table but it does not include Elasticsearch or Kibana columns.
This is not true for all Filebeat modules because there are specific Elasticsearch features utilized in module ingest node pipelines that require newer ES versions. For example:
set
processorscopy_from
feature. Used to copy objects.convert
processor'stype: ip
. Used to ensure strings are valid IPs forip
mapping fields.registered_domain
is new in 7.13.network_direction
is new in 7.12.There are several other features where Filebeat automatically rewrites the ingest node pipeline to create a compatible pipeline for the current ES version (possibly with a reduced feature set).
append
processorsallow_duplicates
.community_id
is new in 7.12set
processor'signore_empty
.uri_parts
is new in 7.12user_agent
requiresecs: true
in ES [6.7, 7.0).How do we want to handle modules that require specific Elasticsearch versions and how do we indicate this to users in the support matrix?
copy_from
orconvert
withtype: ip
. With this we never get to take advantage of new features in ES.The text was updated successfully, but these errors were encountered: