[Packetbeat] Fix data stream name for network flows under Agent (#28408)

* Fix data stream name for network flows under Agent This fixes and issue with network flows being written to the wrong index when using the Network Packet Capture integration in Fleet. The error was: {"type:"security_exception", "reason":"action [indices:admin/auto_create] is unauthorized for API key id [xxx] of user [elastic/fleet-server] on indices [logs-network_traffic.flow-default-2021.10.13] …"} The cause is that flows were setting `index` rather than `raw_index`. With `index` Beats adds the date suffix, but since this is a data stream we want `raw_index` where the value passes through as-is.
elastic · Oct 15, 2021 · 5c92897 · 5c92897
1 parent cc7239a
commit 5c92897
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 1 deletion.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -434,6 +434,7 @@ for a few releases. Please use other tools provided by Elastic to fetch data fro
 *Packetbeat*
 
 - Handle truncated DNS records more gracefully. {issue}21495[21495] {pull}28297[28297]
+- Fix data stream name for network flows when running under Elastic Agent and Fleet. {pull}28408[28408]
 
 *Winlogbeat*
 

diff --git a/packetbeat/beater/setup.go b/packetbeat/beater/setup.go
@@ -60,7 +60,7 @@ func setupFlows(pipeline beat.Pipeline, watcher procs.ProcessesWatcher, cfg conf
 		},
 	}
 	if cfg.Flows.Index != "" {
-		clientConfig.Processing.Meta = common.MapStr{"index": cfg.Flows.Index}
+		clientConfig.Processing.Meta = common.MapStr{"raw_index": cfg.Flows.Index}
 	}
 
 	client, err := pipeline.ConnectWith(clientConfig)