Merge branch 'main' into add-entity-fields

elastic · Feb 24, 2025 · 2fbfa28 · 2fbfa28
2 parents 347c3d3 + eaecbe7
commit 2fbfa28
Show file tree

Hide file tree

Showing 40 changed files with 989 additions and 310 deletions.
diff --git a/.github/workflows/comment-on-asciidoc-changes.yml b/.github/workflows/comment-on-asciidoc-changes.yml
@@ -0,0 +1,21 @@
+---
+name: Comment on PR for .asciidoc changes
+
+on:
+  # We need to use pull_request_target to be able to comment on PRs from forks
+  pull_request_target:
+    types:
+      - synchronize
+      - opened
+      - reopened
+    branches:
+      - main
+      - master
+      - "9.0"
+
+jobs:
+  comment-on-asciidoc-change:
+    permissions:
+      contents: read
+      pull-requests: write
+    uses: elastic/docs-builder/.github/workflows/comment-on-asciidoc-changes.yml@main
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -4,11 +4,11 @@ on: [push, pull_request]
 
 jobs:
   tests:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     name: Unit Tests
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
-      - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5
+      - uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5
         with:
           python-version: '3.x'
       - run: git fetch --prune --unshallow --tags

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -3,6 +3,19 @@
 # CHANGELOG
 All notable changes to this project will be documented in this file based on the [Keep a Changelog](http://keepachangelog.com/) Standard. This project adheres to [Semantic Versioning](http://semver.org/).
 
+## [8.17.0](https://github.com/elastic/ecs/compare/v8.16.0...v8.17.0)
+
+### Schema Changes
+
+#### Bugfixes
+
+* Fix link rendering issues and usage of http in links. #2423
+
+#### Improvements
+
+* Increase ignore_above value for url.query. #2424
+* Set synthetic_source_keep = none on fields that represent sets. #2422
+
 ## [8.16.0](https://github.com/elastic/ecs/compare/v8.11.0...v8.16.0)
 
 ### Schema Changes

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
@@ -12,14 +12,18 @@ Thanks, you're awesome :-) -->
 
 #### Breaking changes
 
+* Remove deprecated fields from previous major release; `process.pgid`, `service.node.role`, and inherited users. #2410
+
 #### Bugfixes
 
 * Fix link rendering issues and usage of http in links. #2423
 
 #### Added
+* Add `origin_referrer_url` and `origin_url` fields, which indicate the origin information to the file, process and dll schemas #2441
 
 #### Improvements
 
+* Promote beta fields to GA. #2411
 * Define base encoding of `x509.serial_number`. #2383
 * Restrict the encoding of `x509.serial_number` to base 16. #2398
 * Set synthetic_source_keep = none on fields that represent sets. #2422

diff --git a/docs/fields/field-details.asciidoc b/docs/fields/field-details.asciidoc
@@ -821,17 +821,15 @@ Note also that the `cloud` fields may be used directly at the root of the events
 
 
 | `cloud.origin.*`
-| <<ecs-cloud,cloud>>| beta:[ Reusing the `cloud` fields in this location is currently considered beta.]
-
-Provides the cloud information of the origin entity in case of an incoming request or event.
+| <<ecs-cloud,cloud>>
+| Provides the cloud information of the origin entity in case of an incoming request or event.
 
 // ===============================================================
 
 
 | `cloud.target.*`
-| <<ecs-cloud,cloud>>| beta:[ Reusing the `cloud` fields in this location is currently considered beta.]
-
-Provides the cloud information of the target entity in case of an outgoing request or event.
+| <<ecs-cloud,cloud>>
+| Provides the cloud information of the target entity in case of an outgoing request or event.
 
 // ===============================================================
 
@@ -1841,6 +1839,42 @@ example: `kernel32.dll`
 
 // ===============================================================
 
+|
+[[field-dll-origin-referrer-url]]
+<<field-dll-origin-referrer-url, dll.origin_referrer_url>>
+
+a| beta:[ This field is beta and subject to change. ]
+
+The URL of the webpage that linked to the dll file.
+
+type: keyword
+
+
+
+example: `http://example.com/article1.html`
+
+| extended
+
+// ===============================================================
+
+|
+[[field-dll-origin-url]]
+<<field-dll-origin-url, dll.origin_url>>
+
+a| beta:[ This field is beta and subject to change. ]
+
+The URL where the dll file is hosted.
+
+type: keyword
+
+
+
+example: `http://example.com/files/example.dll`
+
+| extended
+
+// ===============================================================
+
 |
 [[field-dll-path]]
 <<field-dll-path, dll.path>>
@@ -2291,8 +2325,6 @@ image:https://img.shields.io/badge/OpenTelemetry-4a5ca6?style=flat&logo=opentele
 
 These fields contain Linux Executable Linkable Format (ELF) metadata.
 
-beta::[ These fields are in beta and are subject to change.]
-
 [discrete]
 ==== ELF Header Field Details
 
@@ -3984,8 +4016,6 @@ example: `https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38f
 
 The user fields describe information about the function as a service (FaaS) that is relevant to the event.
 
-beta::[ These fields are in beta and are subject to change.]
-
 [discrete]
 ==== FaaS Field Details
 
@@ -4447,6 +4477,42 @@ image:https://img.shields.io/badge/OpenTelemetry-4a5ca6?style=flat&logo=opentele
 
 // ===============================================================
 
+|
+[[field-file-origin-referrer-url]]
+<<field-file-origin-referrer-url, file.origin_referrer_url>>
+
+a| beta:[ This field is beta and subject to change. ]
+
+The URL of the webpage that linked to the file.
+
+type: keyword
+
+
+
+example: `http://example.com/article1.html`
+
+| extended
+
+// ===============================================================
+
+|
+[[field-file-origin-url]]
+<<field-file-origin-url, file.origin_url>>
+
+a| beta:[ This field is beta and subject to change. ]
+
+The URL where the file is hosted.
+
+type: keyword
+
+
+
+example: `http://example.com/imgs/article1_img1.jpg`
+
+| extended
+
+// ===============================================================
+
 |
 [[field-file-owner]]
 <<field-file-owner, file.owner>>
@@ -4601,9 +4667,8 @@ Note also that the `file` fields may be used directly at the root of the events.
 
 
 | `file.elf.*`
-| <<ecs-elf,elf>>| beta:[ This field reuse is beta and subject to change.]
-
-These fields contain Linux Executable Linkable Format (ELF) metadata.
+| <<ecs-elf,elf>>
+| These fields contain Linux Executable Linkable Format (ELF) metadata.
 
 // ===============================================================
 
@@ -5170,9 +5235,7 @@ image:https://img.shields.io/badge/OpenTelemetry-4a5ca6?style=flat&logo=opentele
 [[field-host-boot-id]]
 <<field-host-boot-id, host.boot.id>>
 
-a| beta:[ This field is beta and subject to change. ]
-
-Linux boot uuid taken from /proc/sys/kernel/random/boot_id. Note the boot_id value from /proc may or may not be the same in containers as on the host. Some container runtimes will bind mount a new boot_id value onto the proc file in each container.
+a| Linux boot uuid taken from /proc/sys/kernel/random/boot_id. Note the boot_id value from /proc may or may not be the same in containers as on the host. Some container runtimes will bind mount a new boot_id value onto the proc file in each container.
 
 type: keyword
 
@@ -5440,9 +5503,7 @@ image:https://img.shields.io/badge/OpenTelemetry-4a5ca6?style=flat&logo=opentele
 [[field-host-pid-ns-ino]]
 <<field-host-pid-ns-ino, host.pid_ns_ino>>
 
-a| beta:[ This field is beta and subject to change. ]
-
-This is the inode number of the namespace in the namespace file system (nsfs). Unsigned int inum in include/linux/ns_common.h.
+a| This is the inode number of the namespace in the namespace file system (nsfs). Unsigned int inum in include/linux/ns_common.h.
 
 type: keyword
 
@@ -8624,24 +8685,6 @@ Multi-fields:
 
 example: `ssh`
 
-| extended
-
-// ===============================================================
-
-|
-[[field-process-pgid]]
-<<field-process-pgid, process.pgid>>
-
-a| Deprecated for removal in next major version release. This field is superseded by `process.group_leader.pid`.
-
-Identifier of the group of processes the process belongs to.
-
-type: long
-
-
-
-
-
 | extended
 
 // ===============================================================
@@ -9016,9 +9059,8 @@ The externally attested user based on an external source such as the Kube API.
 
 
 | `process.elf.*`
-| <<ecs-elf,elf>>| beta:[ This field reuse is beta and subject to change.]
-
-These fields contain Linux Executable Linkable Format (ELF) metadata.
+| <<ecs-elf,elf>>
+| These fields contain Linux Executable Linkable Format (ELF) metadata.
 
 // ===============================================================
 
@@ -13353,8 +13395,6 @@ Note also that the `vlan` fields are not expected to be used directly at the roo
 
 Fields related to storage volume details.
 
-beta::[ These fields are beta and are subject to change.]
-
 [discrete]
 ==== Volume Field Details
 

diff --git a/docs/fields/field-values.asciidoc b/docs/fields/field-values.asciidoc
@@ -64,8 +64,6 @@ This value is not used by Elastic solutions for alert documents that are created
 [[ecs-event-kind-asset]]
 ==== asset
 
-beta:[ This event categorization value is beta and subject to change. ]
-
 This value indicates events whose primary purpose is to store an inventory of assets/entities and their attributes. Assets/entities are objects (such as users and hosts) that are expected to be subjects of detailed analysis within the system.
 
 Examples include lists of user identities or accounts ingested from directory services such as Active Directory (AD), inventory of hosts pulled from configuration management databases (CMDB), and lists of cloud storage buckets pulled from cloud provider APIs.

diff --git a/docs/opentelemetry/otel-fields-mapping.asciidoc b/docs/opentelemetry/otel-fields-mapping.asciidoc
@@ -540,7 +540,7 @@ Note: The `body` in OTLP is of type `Any` and can be either an unstructured log
 
 .1+|
 [[otel-mapping-for-faas-coldstart]]
-<<field-faas-coldstart, faas.coldstart>> [beta]
+<<field-faas-coldstart, faas.coldstart>> 
 
 
 
@@ -554,7 +554,7 @@ Note: The `body` in OTLP is of type `Any` and can be either an unstructured log
 // ===============================================================
 .1+|
 [[otel-mapping-for-faas-execution]]
-<<field-faas-execution, faas.execution>> [beta]
+<<field-faas-execution, faas.execution>> 
 
 
 
@@ -568,7 +568,7 @@ Note: The `body` in OTLP is of type `Any` and can be either an unstructured log
 // ===============================================================
 .1+|
 [[otel-mapping-for-faas-name]]
-<<field-faas-name, faas.name>> [beta]
+<<field-faas-name, faas.name>> 
 
 
 
@@ -582,7 +582,7 @@ Note: The `body` in OTLP is of type `Any` and can be either an unstructured log
 // ===============================================================
 .1+|
 [[otel-mapping-for-faas-trigger-type]]
-<<field-faas-trigger-type, faas.trigger.type>> [beta]
+<<field-faas-trigger-type, faas.trigger.type>> 
 
 
 
@@ -596,7 +596,7 @@ Note: The `body` in OTLP is of type `Any` and can be either an unstructured log
 // ===============================================================
 .1+|
 [[otel-mapping-for-faas-version]]
-<<field-faas-version, faas.version>> [beta]
+<<field-faas-version, faas.version>> 
 
 
 

diff --git a/docs/opentelemetry/otel-mapping-summary.asciidoc b/docs/opentelemetry/otel-mapping-summary.asciidoc
@@ -311,7 +311,7 @@ h| Namespace
 
 
 | DLL
-^| <<ecs-dll,2>>
+^| <<ecs-dll,4>>
 ^| ·
 ^| ·
 ^| ·
@@ -443,7 +443,7 @@ h| Namespace
 
 
 | File
-^| <<ecs-file,22>>
+^| <<ecs-file,24>>
 ^| https://opentelemetry.io/docs/specs/semconv/attributes-registry/file[18]
 ^| 11
 ^| 7
@@ -815,7 +815,7 @@ h| Namespace
 
 
 | Process
-^| <<ecs-process,37>>
+^| <<ecs-process,36>>
 ^| https://opentelemetry.io/docs/specs/semconv/attributes-registry/process[33]
 ^| 15
 ^| 2