Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add container ECS fields in kubernetes metadata #20984

Merged
merged 13 commits into from
Sep 9, 2020

Conversation

ChrsMark
Copy link
Member

@ChrsMark ChrsMark commented Sep 4, 2020

What does this PR do?

This PR adds container.id, container.runtime and container.image.name in kubernetes metadata to be compliant with https://www.elastic.co/guide/en/ecs/current/ecs-container.html

Why is it important?

In final events the metadata do not include container.id, container.runtime and container.image.name.

Related issues

How to test this PR

  1. Configure and run Filebeat in k8s:
filebeat.autodiscover:
      providers:
        - type: kubernetes
          node: ${NODE_NAME}
          hints.enabled: true
          hints.default_config:
            type: container
            paths:
              - /var/log/containers/*${data.kubernetes.container.id}.log

Make sure that container.id, container.runtime and container.image.name exist in the final documents in ES.

  1. Configure and run Filebeat in k8s:
filebeat.inputs:
    - type: container
      paths:
        - /var/log/containers/*.log
      processors:
        - add_kubernetes_metadata:
            host: ${NODE_NAME}
            indexers:
            - container:
            matchers:
            - logs_path:
                logs_path: "/var/log/containers/"

Screenshots

Screenshot 2020-09-08 at 13 56 03

Signed-off-by: chrismark <chrismarkou92@gmail.com>
@ChrsMark ChrsMark added bug needs_backport PR is waiting to be backported to other branches. v7.9.0 v7.10.0 labels Sep 4, 2020
@ChrsMark ChrsMark requested a review from jsoriano September 4, 2020 12:22
@ChrsMark ChrsMark self-assigned this Sep 4, 2020
@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Sep 4, 2020
@ChrsMark ChrsMark added the Team:Platforms Label for the Integrations - Platforms team label Sep 4, 2020
@elasticmachine
Copy link
Collaborator

Pinging @elastic/integrations-platforms (Team:Platforms)

@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Sep 4, 2020
@elasticmachine
Copy link
Collaborator

elasticmachine commented Sep 4, 2020

💚 Build Succeeded

Pipeline View Test View Changes Artifacts preview

Expand to view the summary

Build stats

  • Build Cause: [Pull request #20984 updated]

  • Start Time: 2020-09-09T07:11:12.179+0000

  • Duration: 76 min 8 sec

Test stats 🧪

Test Results
Failed 0
Passed 19781
Skipped 1837
Total 21618

Signed-off-by: chrismark <chrismarkou92@gmail.com>
@jsoriano jsoriano added v7.9.2 and removed v7.9.0 labels Sep 4, 2020
Copy link
Member

@jsoriano jsoriano left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch! LGTM

It'd be nice to have some test to detect the loss of these fields. We would also need to check if add_kubernetes_metadata has similar issues.

libbeat/autodiscover/providers/kubernetes/pod.go Outdated Show resolved Hide resolved
Signed-off-by: chrismark <chrismarkou92@gmail.com>
Signed-off-by: chrismark <chrismarkou92@gmail.com>
@ChrsMark ChrsMark requested a review from jsoriano September 7, 2020 07:39
@ChrsMark ChrsMark changed the title Add container id in kubemeta initialisation Add container id and runtime in kubernetes metadata Sep 7, 2020
Signed-off-by: chrismark <chrismarkou92@gmail.com>
@ChrsMark ChrsMark requested a review from a team as a code owner September 7, 2020 13:11
Signed-off-by: chrismark <chrismarkou92@gmail.com>
Signed-off-by: chrismark <chrismarkou92@gmail.com>
@ChrsMark ChrsMark changed the title Add container id and runtime in kubernetes metadata Add container ECS fields in kubernetes metadata Sep 8, 2020
Signed-off-by: chrismark <chrismarkou92@gmail.com>
Signed-off-by: chrismark <chrismarkou92@gmail.com>
Signed-off-by: chrismark <chrismarkou92@gmail.com>
Signed-off-by: chrismark <chrismarkou92@gmail.com>
Signed-off-by: chrismark <chrismarkou92@gmail.com>
Copy link
Member

@jsoriano jsoriano left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

libbeat/processors/add_kubernetes_metadata/indexers.go Outdated Show resolved Hide resolved
Signed-off-by: chrismark <chrismarkou92@gmail.com>
@ChrsMark ChrsMark merged commit bcb4e0c into elastic:master Sep 9, 2020
ChrsMark added a commit to ChrsMark/beats that referenced this pull request Sep 9, 2020
@ChrsMark ChrsMark removed the needs_backport PR is waiting to be backported to other branches. label Sep 9, 2020
ChrsMark added a commit to ChrsMark/beats that referenced this pull request Sep 9, 2020
ChrsMark added a commit that referenced this pull request Sep 9, 2020
v1v added a commit to v1v/beats that referenced this pull request Sep 14, 2020
* upstream/master: (362 commits)
  Add vendoring to Google Cloud Functions again (elastic#21070)
  [Elastic Agent] Add fleet.host.id for sending to endpoint. (elastic#21042)
  Do not need Google credentials before using it (elastic#21072)
  [Filebeat][New Module] Zoom webhook module (elastic#20414)
  Add support for GMT timezone offset in decode_cef (elastic#20993)
  Filebeat: Fix random error on harvester close (elastic#21048)
  Add ingress controller dashboards (elastic#21052)
  Fix loggers in composable module. (elastic#21047)
  [Ingest Manager] Increase kibana client timeout to 5 minutes (elastic#21037)
  Add changelog. (elastic#21041)
  [Elastic Agent] Add support for EQL based conditions (elastic#20994)
  Disable Kafka metricsets based on Jolokia (elastic#20989)
  Update apm agent (elastic#21031)
  Add container ECS fields in kubernetes metadata (elastic#20984)
  Sanitize event.host in Metricbeat (elastic#21022)
  Update api-keys.asciidoc - API key prerequisites (elastic#21026)
  [Filebeat][suricata] Map x509 for suricata/eve fileset (elastic#20973)
  [Filebeat][santa] Map x509 fields in santa module (elastic#20976)
  [Filebeat][fortinet] Map x509 ecs fields for fortinet fw fileset (elastic#20983)
  Bump zeek kerberos/ssl/x509 ecs version (elastic#21003)
  ...
v1v added a commit to v1v/beats that referenced this pull request Sep 14, 2020
* upstream/master: (364 commits)
  Add vendoring to Google Cloud Functions again (elastic#21070)
  [Elastic Agent] Add fleet.host.id for sending to endpoint. (elastic#21042)
  Do not need Google credentials before using it (elastic#21072)
  [Filebeat][New Module] Zoom webhook module (elastic#20414)
  Add support for GMT timezone offset in decode_cef (elastic#20993)
  Filebeat: Fix random error on harvester close (elastic#21048)
  Add ingress controller dashboards (elastic#21052)
  Fix loggers in composable module. (elastic#21047)
  [Ingest Manager] Increase kibana client timeout to 5 minutes (elastic#21037)
  Add changelog. (elastic#21041)
  [Elastic Agent] Add support for EQL based conditions (elastic#20994)
  Disable Kafka metricsets based on Jolokia (elastic#20989)
  Update apm agent (elastic#21031)
  Add container ECS fields in kubernetes metadata (elastic#20984)
  Sanitize event.host in Metricbeat (elastic#21022)
  Update api-keys.asciidoc - API key prerequisites (elastic#21026)
  [Filebeat][suricata] Map x509 for suricata/eve fileset (elastic#20973)
  [Filebeat][santa] Map x509 fields in santa module (elastic#20976)
  [Filebeat][fortinet] Map x509 ecs fields for fortinet fw fileset (elastic#20983)
  Bump zeek kerberos/ssl/x509 ecs version (elastic#21003)
  ...
leweafan pushed a commit to leweafan/beats that referenced this pull request Apr 28, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Team:Platforms Label for the Integrations - Platforms team v7.9.2 v7.10.0
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Container id not included in Kubernetes events
3 participants