Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add event.ingested to all Filebeat modules #20386

Merged

Conversation

andrewkroh
Copy link
Member

@andrewkroh andrewkroh commented Jul 31, 2020

What does this PR do?

The event.ingested field defines time at which the event was ingested to Elasticsearch
and it added by the Ingest Node pipeline.

This adds a test to ensure all modules create event.ingested.

Why is it important?

This field is important when trying to build
alerts for activities that may have been reported long after they occurred (@timestamp is
much older than event.ingested). This might happen if an agent was offline for a period
of time or the processing was delayed.

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • I have added tests that prove my fix is effective or that my feature works
  • I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Author's Checklist

  • Verify that no pipelines have duplicate set processors for event.ingested

Related issues

@botelastic botelastic bot added needs_team Indicates that the issue/PR needs a Team:* label and removed needs_team Indicates that the issue/PR needs a Team:* label labels Jul 31, 2020
@andrewkroh andrewkroh force-pushed the feature/fb/event-ingested-modules branch from 5c3bb48 to ac727ec Compare July 31, 2020 16:04
@andrewkroh andrewkroh marked this pull request as ready for review July 31, 2020 16:04
@elasticmachine
Copy link
Collaborator

Pinging @elastic/siem (Team:SIEM)

@andrewkroh andrewkroh added the needs_backport PR is waiting to be backported to other branches. label Jul 31, 2020
@elasticmachine
Copy link
Collaborator

elasticmachine commented Jul 31, 2020

💚 Build Succeeded

Pipeline View Test View Changes Artifacts preview

Expand to view the summary

Build stats

  • Build Cause: [Pull request #20386 updated]

  • Start Time: 2020-08-03T20:16:22.781+0000

  • Duration: 54 min 30 sec

Test stats 🧪

Test Results
Failed 0
Passed 5516
Skipped 840
Total 6356

The event.ingested field defines time at which the event was ingested to Elasticsearch
and it added by the Ingest Node pipeline. This field is important when trying to build
alerts for activities that may have been reported long after they occurred (@timestamp is
much older than event.ingested). This might happen if an agent was offline for a period
of time or the processing was delayed.

This adds a test to ensure all modules create event.ingested.

Closes elastic#20073
@andrewkroh andrewkroh force-pushed the feature/fb/event-ingested-modules branch from 315e890 to 6f53473 Compare August 3, 2020 19:22
value: '{{_ingest.timestamp}}'
- set:
field: event.created
value: '{{@timestamp}}'

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

these almost make me wonder if we should add event.created by default to the @timestamp populating code.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Zeek already had event.created, but it was being set to _ingest.timestamp so I changed it to @timestamp. The diff looks like I added a new event.created field but really I changed it.

I do think that for consistency we should add event.created and also event.original to every module. But that's probably best to do in separate pull requests.

@andrewstucki @andrewkroh
So the ECS docs have this for event.created:

In case the two timestamps are identical, @timestamp should be used.

I'm wondering if we should be setting event.created & @timestamp to the same value?

Copy link

@andrewstucki andrewstucki left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see a bunch of places where event.created is added--makes sense, but just wondering why it was added for some, but not others?

@andrewkroh
Copy link
Member Author

Zeek already had event.created, but it was being set to _ingest.timestamp so I changed it to @timestamp. The diff looks like I added a new event.created field but really I changed it.

I do think that for consistency we should add event.created and also event.original to every module. But that's probably best to do in separate pull requests.

@andrewkroh andrewkroh merged commit 829c3b7 into elastic:master Aug 4, 2020
v1v added a commit to v1v/beats that referenced this pull request Aug 6, 2020
…ne-2.0

* upstream/master:
  [docs] Promote ingest management to beta (elastic#20295)
  Upgrade elasticsearch client library used in tests (elastic#20405)
  Disable logging when pulling on python integration tests (elastic#20397)
  Remove pillow from testing requirements.txt (elastic#20407)
  [Filebeat][ATP Module]Setting user agent field required by the API (elastic#20440)
  [Ingest Manager] Send datastreams fields (elastic#20402)
  Add event.ingested to all Filebeat modules (elastic#20386)
  [Elastic Agent] Fix agent control socket path to always be less than 107 characters (elastic#20426)
  Improve cgroup_regex docs with examples (elastic#20425)
  Makes `metrics` config option required in app_insights (elastic#20406)
  Ensure install scripts only install if needed (elastic#20349)
  Update container name for the azure filesets (elastic#19899)
  Group same timestamp metrics values in app_insights metricset (elastic#20403)
  add_process_metadata processor adds container id even if process metadata not accessible (elastic#19767)
  Support "cluster" scope in Metricbeat elasticsearch module (elastic#18547)
  [Filebeat][SophosXG Module] Renaming module and fileset (elastic#20396)
  Update Suricata dashboards (elastic#20394)
  [Elastic Agent] Improve version, restart, enroll CLI commands (elastic#20359)
  Prepare home directories for docker images in a different stage (elastic#20356)
v1v added a commit to v1v/beats that referenced this pull request Aug 6, 2020
…allation

* upstream/master: (23 commits)
  [docs] Promote ingest management to beta (elastic#20295)
  Upgrade elasticsearch client library used in tests (elastic#20405)
  Disable logging when pulling on python integration tests (elastic#20397)
  Remove pillow from testing requirements.txt (elastic#20407)
  [Filebeat][ATP Module]Setting user agent field required by the API (elastic#20440)
  [Ingest Manager] Send datastreams fields (elastic#20402)
  Add event.ingested to all Filebeat modules (elastic#20386)
  [Elastic Agent] Fix agent control socket path to always be less than 107 characters (elastic#20426)
  Improve cgroup_regex docs with examples (elastic#20425)
  Makes `metrics` config option required in app_insights (elastic#20406)
  Ensure install scripts only install if needed (elastic#20349)
  Update container name for the azure filesets (elastic#19899)
  Group same timestamp metrics values in app_insights metricset (elastic#20403)
  add_process_metadata processor adds container id even if process metadata not accessible (elastic#19767)
  Support "cluster" scope in Metricbeat elasticsearch module (elastic#18547)
  [Filebeat][SophosXG Module] Renaming module and fileset (elastic#20396)
  Update Suricata dashboards (elastic#20394)
  [Elastic Agent] Improve version, restart, enroll CLI commands (elastic#20359)
  Prepare home directories for docker images in a different stage (elastic#20356)
  New multiline mode in Filebeat: while_pattern (elastic#19662)
  ...
@andrewkroh andrewkroh added v7.10.0 and removed needs_backport PR is waiting to be backported to other branches. labels Aug 6, 2020
andrewkroh added a commit to andrewkroh/beats that referenced this pull request Aug 6, 2020
The event.ingested field defines time at which the event was ingested to Elasticsearch
and it added by the Ingest Node pipeline. This field is important when trying to build
alerts for activities that may have been reported long after they occurred (@timestamp is
much older than event.ingested). This might happen if an agent was offline for a period
of time or the processing was delayed.

This adds a test to ensure all modules create event.ingested.

Use Filebeat read time instead of ingest time as event.created in Zeek.

Closes elastic#20073

(cherry picked from commit 829c3b7)
andrewkroh added a commit that referenced this pull request Aug 11, 2020
The event.ingested field defines time at which the event was ingested to Elasticsearch
and it added by the Ingest Node pipeline. This field is important when trying to build
alerts for activities that may have been reported long after they occurred (@timestamp is
much older than event.ingested). This might happen if an agent was offline for a period
of time or the processing was delayed.

This adds a test to ensure all modules create event.ingested.

Use Filebeat read time instead of ingest time as event.created in Zeek.

Closes #20073

(cherry picked from commit 829c3b7)
melchiormoulin pushed a commit to melchiormoulin/beats that referenced this pull request Oct 14, 2020
The event.ingested field defines time at which the event was ingested to Elasticsearch
and it added by the Ingest Node pipeline. This field is important when trying to build
alerts for activities that may have been reported long after they occurred (@timestamp is
much older than event.ingested). This might happen if an agent was offline for a period
of time or the processing was delayed.

This adds a test to ensure all modules create event.ingested.

Use Filebeat read time instead of ingest time as event.created in Zeek.

Closes elastic#20073
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

[Meta] Expand support for populating event.ingested
4 participants