Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Fleet] Prevent output changing types from Elasticsearch -> Logstash if a Fleet Server policy uses it #152234

Closed
kpollich opened this issue Feb 27, 2023 · 15 comments · Fixed by #153226
Assignees
Labels
bug Fixes for quality problems that affect the customer experience Team:Fleet Team label for Observability Data Collection Fleet team

Comments

@kpollich
Copy link
Member

Fleet Server can only output to Elasticsearch. We've made one key change in #148896 wherein a policy containing the Fleet Server integration cannot have its output set to a Logstash output. However, we need to ensure that the same validation applies when an existing output is edited to have its type changed from Elasticsearch to Output.

If a Fleet Server policy exists that's pointing at an output, prevent its type attribute from being changed off of Elasticsearch. Users should be creating a separate output for their agents that output to Logstash, and this will prevent breaking their Fleet environment.

image

image

@kpollich kpollich added bug Fixes for quality problems that affect the customer experience Team:Fleet Team label for Observability Data Collection Fleet team labels Feb 27, 2023
@elasticmachine
Copy link
Contributor

Pinging @elastic/fleet (Team:Fleet)

@joshdover
Copy link
Contributor

joshdover commented Feb 27, 2023

I think we need to go a bit further than just validation here. We allow customers to set a Logstash output as their default output, which breaks any Fleet Server policies. So I think there's two things:

  • Setting the default output to Logstash should never change policies with Fleet Server, those should get switched over to the previous ES output
  • We need to allow an exception in the licensing code so that basic users can set their default output to Logstash but still have the Fleet Server policy attached to an ES output.

@ceeeekay
Copy link

ceeeekay commented Feb 28, 2023

We need to allow an exception in the licensing code so that basic users can set their default output to Logstash but still have the Fleet Server policy attached to an ES output.

This please. My architecture requires a Logstash output for agents, but I only have a basic license, and Fleet server 8.6 is unable to start with this config.

@lduvnjak
Copy link

@elastic/fleet
Any ETA on this fix? We can't use our fleet agents at the moment on version 8.6.

@kpollich
Copy link
Member Author

Hi folks, we've got this prioritized internally for our next sprint. 8.7.0 might be a bit of stretch to land the fix, but definitely expect a fix to land in 8.7.1 and 8.8.0.

@juliaElastic @criamico - Do you think we could take a look at this next week to see if we can get a backport to 8.7.0 done? We're passed feature freeze but this would be an impactful bugfix so should be acceptable to land on the release branch.

@criamico criamico self-assigned this Mar 13, 2023
@lucabelluccini
Copy link
Contributor

lucabelluccini commented Mar 22, 2023

Is the following one a valid workaround?

  • deploy the Fleet Server with ES output
  • switch it over to Logstash output (both data & monitoring)

criamico added a commit that referenced this issue Mar 23, 2023
Closes #152234

## Summary

- If the user changes an output from `ES` to `logstash` when there are
Fleet server policies that use that output, we throw asking the user to
create a new output
- If the user changes the default output to a `logstash` one, we update
the Fleet server policies to use the previous default output (that
should be ES)
- Removed limitations to basic licenses so that fleet server policies
can select a per-policy output (between the available ES outputs). This
means that "Basic" users should be able to set their default output to
Logstash but still have the Fleet Server policy attached to an ES
output.
- Added some tests to cover new functionalities

### UI changes

When editing a "logstash" output the modal displays a warning:

<img width="878" alt="Screenshot 2023-03-16 at 15 04 54"
src="https://user-images.githubusercontent.com/16084106/225665515-6090b85c-b84f-4295-9b30-c480d2a84879.png">

### Testing

1. **Edit existing logstash output to be default**
- Have a default ES output and a fleet server policy (verify that has
fleet server integration)
- Create a new logstash output 
- Update it to make it default (this is valid for both integrations and
monitoring output)
- Check that fleet server policy keeps the ES output, it can be verified
from agent policies > fleet server policy > settings.
- The other policies should be switched to the logstash output

**Note** if the previous output is logstash, it will be switched to the
default one. However, users who updated the system and already had a
logstash ouput set as a default will need to to manually set the output
from the agent policy settings page.

2. **Edit existing ES output to become a logstash one**
- Have a default ES output and a fleet server policy (verify that has
fleet server integration)
- Edit the output and change it to type 'logstash' 
- Check that the endpoint throws with an error

<img width="366" alt="Screenshot 2023-03-21 at 18 06 25"
src="https://user-images.githubusercontent.com/16084106/226687174-296e6e2b-3cef-4649-8173-18ee70c6a4a7.png">

3. **Create new logstash output as default**
- Have a default ES output and a fleet server policy (verify that has
fleet server integration)
- Create a new logstash output as set it as default output
- Check that the fleet server policy keeps the previous ES default
output
- basically this should behave like case 1 (PUT and POST should have the
same behaviour)

5. **Delete ES Output**
- Once in the previous case (fleet server on ES output, other policies
on logstash), try to delete the ES output
- It should be prevented with an error

<img width="444" alt="Screenshot 2023-03-16 at 15 05 44"
src="https://user-images.githubusercontent.com/16084106/226687206-f22e1330-4435-4077-a7ef-f29846f25e00.png">

6. **Custom output per policy**
- With "basic" license, go to an agent policy with fleet server >
settings
- Check that "output for integrations" can select any output of type
`elasticsearch`, while the logstash ones are disabled

<img width="981" alt="Screenshot 2023-03-21 at 18 09 29"
src="https://user-images.githubusercontent.com/16084106/226687854-95d239a3-4122-470a-88e0-73c456ad5f7d.png">

### Checklist

- [x] Any text added follows [EUI's writing
guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses
sentence case text and includes [i18n
support](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md)
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios

---------

Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
kibanamachine pushed a commit to kibanamachine/kibana that referenced this issue Mar 23, 2023
Closes elastic#152234

## Summary

- If the user changes an output from `ES` to `logstash` when there are
Fleet server policies that use that output, we throw asking the user to
create a new output
- If the user changes the default output to a `logstash` one, we update
the Fleet server policies to use the previous default output (that
should be ES)
- Removed limitations to basic licenses so that fleet server policies
can select a per-policy output (between the available ES outputs). This
means that "Basic" users should be able to set their default output to
Logstash but still have the Fleet Server policy attached to an ES
output.
- Added some tests to cover new functionalities

### UI changes

When editing a "logstash" output the modal displays a warning:

<img width="878" alt="Screenshot 2023-03-16 at 15 04 54"
src="https://user-images.githubusercontent.com/16084106/225665515-6090b85c-b84f-4295-9b30-c480d2a84879.png">

### Testing

1. **Edit existing logstash output to be default**
- Have a default ES output and a fleet server policy (verify that has
fleet server integration)
- Create a new logstash output
- Update it to make it default (this is valid for both integrations and
monitoring output)
- Check that fleet server policy keeps the ES output, it can be verified
from agent policies > fleet server policy > settings.
- The other policies should be switched to the logstash output

**Note** if the previous output is logstash, it will be switched to the
default one. However, users who updated the system and already had a
logstash ouput set as a default will need to to manually set the output
from the agent policy settings page.

2. **Edit existing ES output to become a logstash one**
- Have a default ES output and a fleet server policy (verify that has
fleet server integration)
- Edit the output and change it to type 'logstash'
- Check that the endpoint throws with an error

<img width="366" alt="Screenshot 2023-03-21 at 18 06 25"
src="https://user-images.githubusercontent.com/16084106/226687174-296e6e2b-3cef-4649-8173-18ee70c6a4a7.png">

3. **Create new logstash output as default**
- Have a default ES output and a fleet server policy (verify that has
fleet server integration)
- Create a new logstash output as set it as default output
- Check that the fleet server policy keeps the previous ES default
output
- basically this should behave like case 1 (PUT and POST should have the
same behaviour)

5. **Delete ES Output**
- Once in the previous case (fleet server on ES output, other policies
on logstash), try to delete the ES output
- It should be prevented with an error

<img width="444" alt="Screenshot 2023-03-16 at 15 05 44"
src="https://user-images.githubusercontent.com/16084106/226687206-f22e1330-4435-4077-a7ef-f29846f25e00.png">

6. **Custom output per policy**
- With "basic" license, go to an agent policy with fleet server >
settings
- Check that "output for integrations" can select any output of type
`elasticsearch`, while the logstash ones are disabled

<img width="981" alt="Screenshot 2023-03-21 at 18 09 29"
src="https://user-images.githubusercontent.com/16084106/226687854-95d239a3-4122-470a-88e0-73c456ad5f7d.png">

### Checklist

- [x] Any text added follows [EUI's writing
guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses
sentence case text and includes [i18n
support](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md)
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios

---------

Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
(cherry picked from commit ec3294f)
kibanamachine referenced this issue Mar 23, 2023
# Backport

This will backport the following commits from `main` to `8.7`:
- [[Fleet] Updates to output logic
(#153226)](#153226)

<!--- Backport version: 8.9.7 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Cristina
Amico","email":"criamico@users.noreply.github.com"},"sourceCommit":{"committedDate":"2023-03-23T08:00:26Z","message":"[Fleet]
Updates to output logic (#153226)\n\nCloses
https://github.com/elastic/kibana/issues/152234\r\n\r\n##
Summary\r\n\r\n- If the user changes an output from `ES` to `logstash`
when there are\r\nFleet server policies that use that output, we throw
asking the user to\r\ncreate a new output\r\n- If the user changes the
default output to a `logstash` one, we update\r\nthe Fleet server
policies to use the previous default output (that\r\nshould be ES)\r\n-
Removed limitations to basic licenses so that fleet server
policies\r\ncan select a per-policy output (between the available ES
outputs). This\r\nmeans that \"Basic\" users should be able to set their
default output to\r\nLogstash but still have the Fleet Server policy
attached to an ES\r\noutput.\r\n- Added some tests to cover new
functionalities\r\n\r\n### UI changes\r\n\r\nWhen editing a \"logstash\"
output the modal displays a warning:\r\n\r\n<img width=\"878\"
alt=\"Screenshot 2023-03-16 at 15 04
54\"\r\nsrc=\"https://user-images.githubusercontent.com/16084106/225665515-6090b85c-b84f-4295-9b30-c480d2a84879.png\">\r\n\r\n###
Testing\r\n\r\n1. **Edit existing logstash output to be default**\r\n-
Have a default ES output and a fleet server policy (verify that
has\r\nfleet server integration)\r\n- Create a new logstash output \r\n-
Update it to make it default (this is valid for both integrations
and\r\nmonitoring output)\r\n- Check that fleet server policy keeps the
ES output, it can be verified\r\nfrom agent policies > fleet server
policy > settings.\r\n- The other policies should be switched to the
logstash output\r\n\r\n**Note** if the previous output is logstash, it
will be switched to the\r\ndefault one. However, users who updated the
system and already had a\r\nlogstash ouput set as a default will need to
to manually set the output\r\nfrom the agent policy settings
page.\r\n\r\n2. **Edit existing ES output to become a logstash
one**\r\n- Have a default ES output and a fleet server policy (verify
that has\r\nfleet server integration)\r\n- Edit the output and change it
to type 'logstash' \r\n- Check that the endpoint throws with an
error\r\n\r\n<img width=\"366\" alt=\"Screenshot 2023-03-21 at 18 06
25\"\r\nsrc=\"https://user-images.githubusercontent.com/16084106/226687174-296e6e2b-3cef-4649-8173-18ee70c6a4a7.png\">\r\n\r\n3.
**Create new logstash output as default**\r\n- Have a default ES output
and a fleet server policy (verify that has\r\nfleet server
integration)\r\n- Create a new logstash output as set it as default
output\r\n- Check that the fleet server policy keeps the previous ES
default\r\noutput\r\n- basically this should behave like case 1 (PUT and
POST should have the\r\nsame behaviour)\r\n\r\n5. **Delete ES
Output**\r\n- Once in the previous case (fleet server on ES output,
other policies\r\non logstash), try to delete the ES output\r\n- It
should be prevented with an error\r\n\r\n<img width=\"444\"
alt=\"Screenshot 2023-03-16 at 15 05
44\"\r\nsrc=\"https://user-images.githubusercontent.com/16084106/226687206-f22e1330-4435-4077-a7ef-f29846f25e00.png\">\r\n\r\n6.
**Custom output per policy**\r\n- With \"basic\" license, go to an agent
policy with fleet server >\r\nsettings\r\n- Check that \"output for
integrations\" can select any output of type\r\n`elasticsearch`, while
the logstash ones are disabled\r\n\r\n<img width=\"981\"
alt=\"Screenshot 2023-03-21 at 18 09
29\"\r\nsrc=\"https://user-images.githubusercontent.com/16084106/226687854-95d239a3-4122-470a-88e0-73c456ad5f7d.png\">\r\n\r\n###
Checklist\r\n\r\n- [x] Any text added follows [EUI's
writing\r\nguidelines](https://elastic.github.io/eui/#/guidelines/writing),
uses\r\nsentence case text and includes
[i18n\r\nsupport](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md)\r\n-
[x] [Unit or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common
scenarios\r\n\r\n---------\r\n\r\nCo-authored-by: Kibana Machine
<42973632+kibanamachine@users.noreply.github.com>","sha":"ec3294f2b340a5f6dbfdada3a997e17047bc8f17","branchLabelMapping":{"^v8.8.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:fix","Team:Fleet","backport:prev-minor","v8.8.0"],"number":153226,"url":"https://github.com/elastic/kibana/pull/153226","mergeCommit":{"message":"[Fleet]
Updates to output logic (#153226)\n\nCloses
https://github.com/elastic/kibana/issues/152234\r\n\r\n##
Summary\r\n\r\n- If the user changes an output from `ES` to `logstash`
when there are\r\nFleet server policies that use that output, we throw
asking the user to\r\ncreate a new output\r\n- If the user changes the
default output to a `logstash` one, we update\r\nthe Fleet server
policies to use the previous default output (that\r\nshould be ES)\r\n-
Removed limitations to basic licenses so that fleet server
policies\r\ncan select a per-policy output (between the available ES
outputs). This\r\nmeans that \"Basic\" users should be able to set their
default output to\r\nLogstash but still have the Fleet Server policy
attached to an ES\r\noutput.\r\n- Added some tests to cover new
functionalities\r\n\r\n### UI changes\r\n\r\nWhen editing a \"logstash\"
output the modal displays a warning:\r\n\r\n<img width=\"878\"
alt=\"Screenshot 2023-03-16 at 15 04
54\"\r\nsrc=\"https://user-images.githubusercontent.com/16084106/225665515-6090b85c-b84f-4295-9b30-c480d2a84879.png\">\r\n\r\n###
Testing\r\n\r\n1. **Edit existing logstash output to be default**\r\n-
Have a default ES output and a fleet server policy (verify that
has\r\nfleet server integration)\r\n- Create a new logstash output \r\n-
Update it to make it default (this is valid for both integrations
and\r\nmonitoring output)\r\n- Check that fleet server policy keeps the
ES output, it can be verified\r\nfrom agent policies > fleet server
policy > settings.\r\n- The other policies should be switched to the
logstash output\r\n\r\n**Note** if the previous output is logstash, it
will be switched to the\r\ndefault one. However, users who updated the
system and already had a\r\nlogstash ouput set as a default will need to
to manually set the output\r\nfrom the agent policy settings
page.\r\n\r\n2. **Edit existing ES output to become a logstash
one**\r\n- Have a default ES output and a fleet server policy (verify
that has\r\nfleet server integration)\r\n- Edit the output and change it
to type 'logstash' \r\n- Check that the endpoint throws with an
error\r\n\r\n<img width=\"366\" alt=\"Screenshot 2023-03-21 at 18 06
25\"\r\nsrc=\"https://user-images.githubusercontent.com/16084106/226687174-296e6e2b-3cef-4649-8173-18ee70c6a4a7.png\">\r\n\r\n3.
**Create new logstash output as default**\r\n- Have a default ES output
and a fleet server policy (verify that has\r\nfleet server
integration)\r\n- Create a new logstash output as set it as default
output\r\n- Check that the fleet server policy keeps the previous ES
default\r\noutput\r\n- basically this should behave like case 1 (PUT and
POST should have the\r\nsame behaviour)\r\n\r\n5. **Delete ES
Output**\r\n- Once in the previous case (fleet server on ES output,
other policies\r\non logstash), try to delete the ES output\r\n- It
should be prevented with an error\r\n\r\n<img width=\"444\"
alt=\"Screenshot 2023-03-16 at 15 05
44\"\r\nsrc=\"https://user-images.githubusercontent.com/16084106/226687206-f22e1330-4435-4077-a7ef-f29846f25e00.png\">\r\n\r\n6.
**Custom output per policy**\r\n- With \"basic\" license, go to an agent
policy with fleet server >\r\nsettings\r\n- Check that \"output for
integrations\" can select any output of type\r\n`elasticsearch`, while
the logstash ones are disabled\r\n\r\n<img width=\"981\"
alt=\"Screenshot 2023-03-21 at 18 09
29\"\r\nsrc=\"https://user-images.githubusercontent.com/16084106/226687854-95d239a3-4122-470a-88e0-73c456ad5f7d.png\">\r\n\r\n###
Checklist\r\n\r\n- [x] Any text added follows [EUI's
writing\r\nguidelines](https://elastic.github.io/eui/#/guidelines/writing),
uses\r\nsentence case text and includes
[i18n\r\nsupport](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md)\r\n-
[x] [Unit or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common
scenarios\r\n\r\n---------\r\n\r\nCo-authored-by: Kibana Machine
<42973632+kibanamachine@users.noreply.github.com>","sha":"ec3294f2b340a5f6dbfdada3a997e17047bc8f17"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v8.8.0","labelRegex":"^v8.8.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/153226","number":153226,"mergeCommit":{"message":"[Fleet]
Updates to output logic (#153226)\n\nCloses
https://github.com/elastic/kibana/issues/152234\r\n\r\n##
Summary\r\n\r\n- If the user changes an output from `ES` to `logstash`
when there are\r\nFleet server policies that use that output, we throw
asking the user to\r\ncreate a new output\r\n- If the user changes the
default output to a `logstash` one, we update\r\nthe Fleet server
policies to use the previous default output (that\r\nshould be ES)\r\n-
Removed limitations to basic licenses so that fleet server
policies\r\ncan select a per-policy output (between the available ES
outputs). This\r\nmeans that \"Basic\" users should be able to set their
default output to\r\nLogstash but still have the Fleet Server policy
attached to an ES\r\noutput.\r\n- Added some tests to cover new
functionalities\r\n\r\n### UI changes\r\n\r\nWhen editing a \"logstash\"
output the modal displays a warning:\r\n\r\n<img width=\"878\"
alt=\"Screenshot 2023-03-16 at 15 04
54\"\r\nsrc=\"https://user-images.githubusercontent.com/16084106/225665515-6090b85c-b84f-4295-9b30-c480d2a84879.png\">\r\n\r\n###
Testing\r\n\r\n1. **Edit existing logstash output to be default**\r\n-
Have a default ES output and a fleet server policy (verify that
has\r\nfleet server integration)\r\n- Create a new logstash output \r\n-
Update it to make it default (this is valid for both integrations
and\r\nmonitoring output)\r\n- Check that fleet server policy keeps the
ES output, it can be verified\r\nfrom agent policies > fleet server
policy > settings.\r\n- The other policies should be switched to the
logstash output\r\n\r\n**Note** if the previous output is logstash, it
will be switched to the\r\ndefault one. However, users who updated the
system and already had a\r\nlogstash ouput set as a default will need to
to manually set the output\r\nfrom the agent policy settings
page.\r\n\r\n2. **Edit existing ES output to become a logstash
one**\r\n- Have a default ES output and a fleet server policy (verify
that has\r\nfleet server integration)\r\n- Edit the output and change it
to type 'logstash' \r\n- Check that the endpoint throws with an
error\r\n\r\n<img width=\"366\" alt=\"Screenshot 2023-03-21 at 18 06
25\"\r\nsrc=\"https://user-images.githubusercontent.com/16084106/226687174-296e6e2b-3cef-4649-8173-18ee70c6a4a7.png\">\r\n\r\n3.
**Create new logstash output as default**\r\n- Have a default ES output
and a fleet server policy (verify that has\r\nfleet server
integration)\r\n- Create a new logstash output as set it as default
output\r\n- Check that the fleet server policy keeps the previous ES
default\r\noutput\r\n- basically this should behave like case 1 (PUT and
POST should have the\r\nsame behaviour)\r\n\r\n5. **Delete ES
Output**\r\n- Once in the previous case (fleet server on ES output,
other policies\r\non logstash), try to delete the ES output\r\n- It
should be prevented with an error\r\n\r\n<img width=\"444\"
alt=\"Screenshot 2023-03-16 at 15 05
44\"\r\nsrc=\"https://user-images.githubusercontent.com/16084106/226687206-f22e1330-4435-4077-a7ef-f29846f25e00.png\">\r\n\r\n6.
**Custom output per policy**\r\n- With \"basic\" license, go to an agent
policy with fleet server >\r\nsettings\r\n- Check that \"output for
integrations\" can select any output of type\r\n`elasticsearch`, while
the logstash ones are disabled\r\n\r\n<img width=\"981\"
alt=\"Screenshot 2023-03-21 at 18 09
29\"\r\nsrc=\"https://user-images.githubusercontent.com/16084106/226687854-95d239a3-4122-470a-88e0-73c456ad5f7d.png\">\r\n\r\n###
Checklist\r\n\r\n- [x] Any text added follows [EUI's
writing\r\nguidelines](https://elastic.github.io/eui/#/guidelines/writing),
uses\r\nsentence case text and includes
[i18n\r\nsupport](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md)\r\n-
[x] [Unit or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common
scenarios\r\n\r\n---------\r\n\r\nCo-authored-by: Kibana Machine
<42973632+kibanamachine@users.noreply.github.com>","sha":"ec3294f2b340a5f6dbfdada3a997e17047bc8f17"}}]}]
BACKPORT-->

Co-authored-by: Cristina Amico <criamico@users.noreply.github.com>
@ceeeekay
Copy link

Confirming the fix works great for me in 8.7.0. Thanks!

There's a cosmetic issue that the new dialog appears to be reporting an incorrect number of agents and policies (zero), and there's a missing warning graphic:

image

Basic license here, if that's relevant at all.

@jen-huang
Copy link
Contributor

jen-huang commented Mar 31, 2023

@ceeeekay Thanks for the report! For the incorrect count, we have a bug logged here: #152425

For the missing icon, I was able to produce this on a new 8.7 instance. I will follow up with our UI library team about this, very strange.

Edit: I put up a fix for the icon issue here: #154119

jen-huang added a commit that referenced this issue Mar 31, 2023
Originally reported in
#152234 (comment)

With EUI v76, `warning` icon type was introduced:
#152506

However, the EUI upgrade was only applied on 8.8. The callout here that
uses the warning icon was a bug fix backported to 8.7 after the EUI
upgrade. In 8.7 the EUI version does not have the `warning` icon type,
causing a broken image to be rendered in this callout.

This PR reverts the icon to the legacy `alert` type will only be merged
into 8.7.
@defensivedepth
Copy link

defensivedepth commented Apr 5, 2023

Using 8.7.0: Creating a Fleet Server Policy via the API is successful (screencap 1). Viewing the newly created Policy in the UI, it appears it has still selected the default Output, which is Logstash. (screencap 2)

If I specify the output in the API request with: "data_output_id":"output_elasticsearch"

I get the following error:

{"statusCode":400,"error":"Bad Request","message":"Invalid licence to set per policy output, you need platinum licence"}

Is this expected behavior?

image

image

@lduvnjak
Copy link

lduvnjak commented Apr 6, 2023

@defensivedepth, this might not help, but try adding an agent under that fleet server while having Elasticsearch as the default output, and switch to Logstash afterwards.
I can't test rn, but I remember having the same issue as you, until I added an agent, and only then switched the default output to Logstash.
Might have just been a one-off thing and not related though

@defensivedepth
Copy link

defensivedepth commented Apr 6, 2023

I was able to work around by creating the Policy via the API with the Logstash output and then updating the Policy through the API with "data_output_id":"output_elasticsearch"

@ceeeekay
Copy link

Not sure if I should raise this here or open a new issue, but I'm testing the Synthetics integration via a Logstash output, and it's failing with "Output not supported", which seems like the same behaviour as the Fleet server.

Basic license so I have no option to configure the Synthetics node with Elasticsearch output.

"message": "1 or more components/units in a failed state",
    "components": [
        {
            "id": "synthetics/tcp-default",
            "name": "",
            "state": 4,
            "message": "output not supported",
            "units": [
                {
                    "unit_id": "synthetics/tcp-default-synthetics/tcp-synthetics-6efbbe9d-b8b0-4a52-bc67-de69a8398f18-4d5a3bd0-c15a-11ed-bb49-0d174a3c4683-fleet",
                    "unit_type": 0,
                    "state": 4,
                    "message": "output not supported"
                },
                {
                    "unit_id": "synthetics/tcp-default",
                    "unit_type": 1,
                    "state": 4,
                    "message": "output not supported"
                }
            ],
            "version_info": {
                "name": "",
                "version": ""
            }
        }
[...]

Aside from the Basic license output limitations, requiring an Elasticsearch output would prevent me from deploying Synthetics monitoring to various locations in our network that can't access ES directly.

Any idea whether this is the intended behaviour?

Stack version: 8.7.0
Synthetics version: 0.11.8

@paulb-elastic
Copy link
Contributor

Hello @ceeeekay this is by design, Heartbeat does need a direct connection to Elasticsearch when using Synthetics.

We have an issue to make this clearer in the docs, as it's not right now. Sorry you hit this issue.

As you're using 8.7.0, I assume you're using Private Locations, and not the legacy Synthetics Integration? If not, then you need to switch over to Private Locations (any Synthetics Integration monitors will stop working in 8.8)

@ceeeekay
Copy link

Hi @paulb-elastic, thanks for the info.

I was testing with Private Locations in the Uptime/Synthetics beta section. No real problem if a direct ES connection is required. I was hoping to just be able to continue by ingesting Synthetics events to my existing Logstash architecture, but I'm sure I can work around it this be deploying dedicated nodes which have direct access to ES.

I guess the real issue now is how to get this to work with a Basic license, given the outputs limitation and the requirement to be enrolled in Fleet. Are there any plans to enforce Synthetics ES output in the same way that Fleet Server does since 8.7, regardless of licensing?

Cheers.

@paulb-elastic
Copy link
Contributor

@ceeeekay there is the limitation as you've mentioned. I've raised #155725 for us to consider removing this restriction. I can't give any indication yet when that might be able to be worked on, but you could watch that issue to keep track of it.

jillguyonnet added a commit that referenced this issue Jul 18, 2023
## Summary

Closes #155725

### Context

Basic license users cannot use Synthetics private locations and a
default Logstash output (cf. [this
comment](#155725 (comment))).
This is because under Basic license per policy output is not allowed.

There was a [similar
issue](#152234) with Fleet
server that was fixed by adding logic to exclude the fleet server
integration from the checks
([PR](#153226)).

This PR follows a very similar approach for the synthetics integration.

### Changes

Compare these to [the corresponding changes that were made for Fleet
server](#153226).

- If the user tries to change the default output from ES to Logstash and
there are agent policies using synthetics, then an error is thrown.
- If an existing Logstash output is made to be the default output and
there are agent policies using synthetics, then these policies will
still be using the previous default ES output.
- If the default output is of type Logstash with an agent policy using
synthetics and another ES output, then if the user tries to delete the
ES output an error is thrown.
- Logstash type outputs are disabled in the agent policy settings if the
policy uses synthetics.

### Steps for testing

⚠️ Ideally the complete scenario reported
[here](#155725 (comment))
should be tested. I was having some issues running a dev setup with a
proper Logstash output, so the steps below are not end-to-end (similar
to #153226).

1. Start with a single default ES output, an agent policy (1) with
synthetics and another (2) without (NB: you can also test combinations
with fleet server; if an error is thrown, the error for fleet server
would be thrown before the one for synthetics).
2. Edit the default ES output to be a Logstash output; this should fail
and thrown the following error:
![Screenshot 2023-07-14 at 15 07
56](https://github.com/elastic/kibana/assets/23701614/bf716a7a-745b-4b89-aa49-0ced2cc825a2)
3. Create a new Logstash output and make it default on creation. Go the
agent policies and check the policies settings: the `Output for
integrations` setting should still be set to the previous ES default
output for policies with synthetics (and/or fleet server), and should
have switched to the new Logstash default for other policies.
4. Repeat the previous steps, but this time first create the Logstash
output and then edit it to make it default. This tests the update
behaviour as opposed to create. You will see the following warning:
![Screenshot 2023-07-14 at 15 06
35](https://github.com/elastic/kibana/assets/23701614/283ee6c2-6d84-4847-bd3d-3c4ff734b2d6)
5. Still with the default Logstash output, try to delete the ES output
(that is still used by policies with synthetics/fleet server(. This
should fail with the following error:
![Screenshot 2023-07-14 at 15 16
03](https://github.com/elastic/kibana/assets/23701614/62dfe4c1-aed6-4d85-83f0-92985eab9336)
6. (Basic license constraint) Create another ES output (not default). Go
the agent policies and check the policies settings: policies with
synthetics (or fleet server) should be allowed to switch the `Output for
integrations` setting to the new ES output:
![Screenshot 2023-07-14 at 15 18
56](https://github.com/elastic/kibana/assets/23701614/98deb4fc-abb1-40e2-9556-1a4ecfa96923)
In contrast, policies without these integrations should be constrained
to the default Logstash output:
![Screenshot 2023-07-14 at 15 19
19](https://github.com/elastic/kibana/assets/23701614/9856de1f-675b-47db-a471-9796239f0f85)

### Checklist

- [ ]
[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)
was added for features that require explanation or tutorials
- [ ] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios

---------

Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
ThomThomson pushed a commit to ThomThomson/kibana that referenced this issue Aug 1, 2023
## Summary

Closes elastic#155725

### Context

Basic license users cannot use Synthetics private locations and a
default Logstash output (cf. [this
comment](elastic#155725 (comment))).
This is because under Basic license per policy output is not allowed.

There was a [similar
issue](elastic#152234) with Fleet
server that was fixed by adding logic to exclude the fleet server
integration from the checks
([PR](elastic#153226)).

This PR follows a very similar approach for the synthetics integration.

### Changes

Compare these to [the corresponding changes that were made for Fleet
server](elastic#153226).

- If the user tries to change the default output from ES to Logstash and
there are agent policies using synthetics, then an error is thrown.
- If an existing Logstash output is made to be the default output and
there are agent policies using synthetics, then these policies will
still be using the previous default ES output.
- If the default output is of type Logstash with an agent policy using
synthetics and another ES output, then if the user tries to delete the
ES output an error is thrown.
- Logstash type outputs are disabled in the agent policy settings if the
policy uses synthetics.

### Steps for testing

⚠️ Ideally the complete scenario reported
[here](elastic#155725 (comment))
should be tested. I was having some issues running a dev setup with a
proper Logstash output, so the steps below are not end-to-end (similar
to elastic#153226).

1. Start with a single default ES output, an agent policy (1) with
synthetics and another (2) without (NB: you can also test combinations
with fleet server; if an error is thrown, the error for fleet server
would be thrown before the one for synthetics).
2. Edit the default ES output to be a Logstash output; this should fail
and thrown the following error:
![Screenshot 2023-07-14 at 15 07
56](https://github.com/elastic/kibana/assets/23701614/bf716a7a-745b-4b89-aa49-0ced2cc825a2)
3. Create a new Logstash output and make it default on creation. Go the
agent policies and check the policies settings: the `Output for
integrations` setting should still be set to the previous ES default
output for policies with synthetics (and/or fleet server), and should
have switched to the new Logstash default for other policies.
4. Repeat the previous steps, but this time first create the Logstash
output and then edit it to make it default. This tests the update
behaviour as opposed to create. You will see the following warning:
![Screenshot 2023-07-14 at 15 06
35](https://github.com/elastic/kibana/assets/23701614/283ee6c2-6d84-4847-bd3d-3c4ff734b2d6)
5. Still with the default Logstash output, try to delete the ES output
(that is still used by policies with synthetics/fleet server(. This
should fail with the following error:
![Screenshot 2023-07-14 at 15 16
03](https://github.com/elastic/kibana/assets/23701614/62dfe4c1-aed6-4d85-83f0-92985eab9336)
6. (Basic license constraint) Create another ES output (not default). Go
the agent policies and check the policies settings: policies with
synthetics (or fleet server) should be allowed to switch the `Output for
integrations` setting to the new ES output:
![Screenshot 2023-07-14 at 15 18
56](https://github.com/elastic/kibana/assets/23701614/98deb4fc-abb1-40e2-9556-1a4ecfa96923)
In contrast, policies without these integrations should be constrained
to the default Logstash output:
![Screenshot 2023-07-14 at 15 19
19](https://github.com/elastic/kibana/assets/23701614/9856de1f-675b-47db-a471-9796239f0f85)

### Checklist

- [ ]
[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)
was added for features that require explanation or tutorials
- [ ] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios

---------

Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Fixes for quality problems that affect the customer experience Team:Fleet Team label for Observability Data Collection Fleet team
Projects
None yet
Development

Successfully merging a pull request may close this issue.

10 participants