Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement proposed changes from RFC 00300 - linux event model fields #1842

Merged
merged 17 commits into from
Mar 22, 2022
Merged

Implement proposed changes from RFC 00300 - linux event model fields #1842

merged 17 commits into from
Mar 22, 2022

Conversation

kgeller
Copy link
Contributor

@kgeller kgeller commented Mar 17, 2022

Implement the schema changes for linux event model proposed in RFC 0030 and updated in #1826

@kgeller kgeller added the 8.2.0 label Mar 17, 2022
@kgeller kgeller self-assigned this Mar 17, 2022
mitodrummer
mitodrummer reviewed Mar 17, 2022
View reviewed changes
mitodrummer
mitodrummer reviewed Mar 17, 2022
View reviewed changes
schemas/process.yml
The entry type for the entry session leader.
Values include: init(e.g systemd), sshd, ssm, kubelet, teleport, terminal, console

- name: entry_meta.source
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just realized we have this defined here as well as in source.yml. I would guess we should omit from process.yml?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do we need a -name: entry_meta to replace it? so source.yml has something to attach to? kinda like below with the 'tty' field?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch, I will remove it from process

We can define it if you want to be explicit, but it isn't necessary

@mitodrummer
Copy link
Contributor

Just a few notes, but overall looking good! Did you want me to merge my PR instead of making changes to rfcs/text/0030/* stuff? I guess it's not a big deal to resolve those conflicts though.

@kgeller
Copy link
Contributor Author

kgeller commented Mar 18, 2022

Just a few notes, but overall looking good! Did you want me to merge my PR instead of making changes to rfcs/text/0030/* stuff? I guess it's not a big deal to resolve those conflicts though.

So these changes are to the actual schema, so we can get your fields out there as beta and officially into ECS.

I think we hold off on your PR for now just since stage 3 signifies the addition is finished. Unless, you wanted to change it to a stage 2 update and we hold that Stage 3 label for a little longer.

@mitodrummer
Copy link
Contributor

oh yea no worries, it can wait.

mitodrummer
mitodrummer approved these changes Mar 18, 2022
View reviewed changes
Copy link
Contributor

@mitodrummer mitodrummer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@kgeller kgeller marked this pull request as ready for review March 18, 2022 17:20
@kgeller kgeller requested a review from a team March 18, 2022 17:20
ebeahan
ebeahan reviewed Mar 21, 2022
View reviewed changes
Copy link
Member

@ebeahan ebeahan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

With all the introduced fields and reuses, this PR more than doubles the existing total ECS field count. However, this is because the current ECS tooling is fully populating all the reuses to build its artifacts.

From the ECS side, we're planning on submitting a follow-up PR shortly to trim this total back using filtering for some of the process.* reuese. But that's not a blocker for moving forward with these changes.

FYI @mitodrummer - ECS will base its process.* filtering on your work in the endpoint-package

ebeahan
ebeahan approved these changes Mar 22, 2022
View reviewed changes
Copy link
Member

@ebeahan ebeahan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@kgeller kgeller merged commit e012aca into elastic:main Mar 22, 2022
@kgeller kgeller deleted the linux-event-model-beta-changes branch March 22, 2022 13:27
kgeller added a commit to kgeller/ecs that referenced this pull request Mar 22, 2022
@kgeller
Implement proposed changes from RFC 00300 - linux event model fields (e…
cd98fa9 
…lastic#1842)

# Conflicts:
#	experimental/generated/csv/fields.csv
#	generated/csv/fields.csv
@kgeller kgeller mentioned this pull request Mar 22, 2022
Merged
kgeller added a commit that referenced this pull request Mar 22, 2022
@kgeller
[8.2] Implement proposed changes from RFC 00300 - linux event model f…
b4b04d7 
…ields (#1842) (#1845)
@kgeller kgeller mentioned this pull request Mar 22, 2022
Closed
1 task
@mitodrummer
Copy link
Contributor

ing for some of the

Cool, yea @kqualters-elastic opened this PR which has a lot of nested mappings on the process fieldsets, so glad to hear you are going to filter some of those out, as I imagine this adds quite a large overhead to indexes making use of these new mappings. https://github.com/elastic/kibana/pull/128286/files

@ebeahan ebeahan mentioned this pull request Mar 22, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ebeahan ebeahan ebeahan approved these changes

@mitodrummer mitodrummer mitodrummer approved these changes

Assignees

@kgeller kgeller

Labels
8.2.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@kgeller @mitodrummer @ebeahan