Import user.group changes from ECS #10275
Conversation
|
However running @cwurm or @andrewkroh what's the proper incantation, to update field definitions for x-pack/auditbeat? |
There was a problem hiding this comment.
However running make update in x-pack/auditbeat/ or auditbeat/ doesn't update anything more than when I run it at the top of the Beats repo.
There is nothing in x-pack/auditbeat to update w.r.t. common fields. The auditbeat/include/fields.go content is inherited by x-pack/auditbeat.
auditbeat/auditbeat.reference.yml
Outdated
| @@ -29,60 +29,26 @@ auditbeat.max_start_delay: 10s | |||
| #========================== Modules configuration ============================= | |||
| auditbeat.modules: | |||
|
|
|||
| # The auditd module collects events from the audit framework in the Linux | |||
There was a problem hiding this comment.
Did you have DEV_OS=darwin set when you updated? Looks like some thing that should be changed have been changed.
There was a problem hiding this comment.
My problem is that I had GOOS and GOARCH set manually, I think. I just resubmitted after generating without those, and it got rid of the config file weirdness.
webmat
force-pushed
the
ecs-import-user-group
branch
2 times, most recently
from
ce2a275 to
c5cf850
Compare
webmat
added
review
and removed
in progress
webmat
changed the title
|
Figured out the But otherwise, this is now ready for official review. |
|
@andrewkroh Part of this (or separate PR) would surely be to import the generated Go files? Not sure how/where to integrate those. Can you show me how? Is it applicable here, or is it not yet being used in Beats? |
|
We should try to always keep the fields yml and the generated code in sync. It should just be a matter of running
Assuming that you have govendor installed. |
|
@andrewkroh Alright, I'll run this here, thanks for the command. Is this encapsulated in a make/mage command, and is govendor be part of the development dependencies? |
|
@andrewkroh Ran the command. The old |
|
Jenkins failure limited to Metricbeat, and appears to be due to network flakiness (tar segfault when getting a Docker image, seems like) |
It's the same problem we have with the generated fields.yml not including them. The reusable fields are not incorporated into generated code so don't worry about adding them. For now if someone wants to use the code it's easy enough to compose your own struct that embeds the reusable type. |
|
This is ready for final review. I would like to get this in Thursday, to unblock #9963 and #10192. @andrewkroh Gotcha, thanks for confirming! |
|
Just noticed I hadn't entered a changelog for a change that affects all beats and causes a mapping conflict. 🤦♂️ Added the changelog now, and will wait until tomorrow to merge :-) |
|
jenkins, test this |
webmat
force-pushed
the
ecs-import-user-group
branch
from
53e23c3 to
bcb5639
Compare
webmat
force-pushed
the
ecs-import-user-group
branch
from
bcb5639 to
e71d1e5
Compare
webmat
force-pushed
the
ecs-import-user-group
branch
from
e71d1e5 to
d1f95c1
Compare
|
@cwurm This has been merged 😃 |
|
Thanks a lot @webmat, I‘ve been eagerly awaiting it! :) |
|
Not 100% sure but it seems this PR broke CI. Not sure why this was merged with a red build? |
|
Seems like it was caused by a change in ES: #10336 We should still if possible not merge red PR's. |
This change enables us to nest the `group` field set at `user.group`, rather than being limited to only group name. Imports the changes from ECS elastic/ecs#308, which solves elastic/ecs#304.
The dependency on elastic/ecs#308 is resolved (see also elastic/ecs#304 for full context). The change is merged. This ECS change lets use nest both the group name and id at
user.group.idanduser.group.name.This PR imports these changes in Beats, and will unblock #9963 and #10192.
Mapping Conflict Warning
If you have any index template from Beats 7.0 pre-release in your Elasticsearch, this change introduces a mapping conflict.
Before:
After this PR:
You will have to overwrite your index templates, delete you indices and your Kibana index templates.