Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add agent.build for extended agent version information #764

Merged
merged 7 commits into from
Apr 6, 2020
Merged

Add agent.build for extended agent version information #764

merged 7 commits into from
Apr 6, 2020

Conversation

andrewstucki
Copy link
Contributor

This adds a field for extended build information for agents. This would actually be pretty useful in a few scenarios:

  1. An agent running in an emulated execution context (i.e. 32bit binary running on a 64bit system)
  2. When someone wants to identify a custom build of an agent that otherwise follows the exact same versioning semantics as other agents

The use case from the endpoint side is in identifying exact build configurations of an endpoint that's shipping data to elasticsearch. When we see a buggy payload we want to be able to identify the exact build of the binary even if semver indicates it's from a particular release branch. I could imagine the same thing would be potentially useful in beats.

@webmat
Copy link
Contributor

webmat commented Mar 25, 2020
edited
Loading

I think this makes sense.

The gist is for this field to be free form, correct? E.g. another type of agent, or a custom pipeline could very well populate this only with a Git sha, a 4-5 digit numeric or other kinds of shenanigans?

@ruflin or @urso thoughts on this field?

@webmat
Copy link
Contributor

webmat commented Mar 25, 2020

@james-elastic Would this be useful to the Endpoint team? Does someone on the team have thoughts about this?

@urso
Copy link

urso commented Mar 26, 2020

When hearing custom build and sha, I rather wonder if it would make sense to have standardized fields, instead of an adhoc string only field. E.g. build.timestamp, build.id, build.machine, build.host`, ...

@ruflin
Copy link
Contributor

ruflin commented Mar 27, 2020

+1 on the idea of having .build or .build.* in ECS.

@urso Perhaps an idea is that we go with agent.build.id to get started so we have a prefix available but don't need to get into the details of all the other fields?

@urso
Copy link

urso commented Mar 27, 2020

+1 on making agent.build extensible.

What will agent.build.id actually mean? The example output uses: metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]. The example reminds me in user_agent.original. To be consistent with that we might want to name the field agent.build.original :)

@ruflin
Copy link
Contributor

ruflin commented Mar 27, 2020

I'm on board starting with .original.

@james-elastic
Copy link

@webmat yeah this would be very helpful!

@webmat
Copy link
Contributor

webmat commented Mar 27, 2020

Love the idea of following the .original naming pattern from User Agent. Thanks for this idea, @urso !

@andrewstucki I think we can move swiftly and rename your field addition to agent.build.original, meant to be free form, like you show in the example.

Then in later PRs, as needed we can start adding more precise fields. agent.build.commit would be an obvious next field, and perhaps the build date as well.

WDYT about this plan?

@andrewstucki
Copy link
Contributor Author

@webmat sorry, this totally slipped by--I renamed the field to agent.build.original and updated the changelog.

webmat
webmat reviewed Apr 6, 2020
View reviewed changes
webmat
webmat reviewed Apr 6, 2020
View reviewed changes
Copy link
Contributor

@webmat webmat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm good to go with this, when this comment is addressed.

webmat
webmat approved these changes Apr 6, 2020
View reviewed changes
Copy link
Contributor

@webmat webmat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Thanks @andrewstucki

webmat
webmat reviewed Apr 6, 2020
View reviewed changes
CHANGELOG.next.md
@@ -22,6 +22,7 @@ Thanks, you're awesome :-) -->

* Added `search.*` fields #729
* Add architecture and imphash for PE field set. (#763)
* Added `agent.build.*` for extended agent version information. (#764)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
* Added `agent.build.*` for extended agent version information. (#764)
* Added `agent.build.original` for extended agent version information. (#764)

@andrewstucki andrewstucki merged commit 596538f into elastic:master Apr 6, 2020
@andrewstucki andrewstucki deleted the agent_build branch April 6, 2020 19:59
dcode pushed a commit to dcode/ecs that referenced this pull request Apr 15, 2020
@dcode
Add agent.build for extended agent version information (elastic#764)
c6ec4dc 
* Add agent.build for extended agent version information

* Add changelog entry

* rename field to build.original

* re-run code generation

* Add short field and additional line about formatting
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@webmat webmat webmat approved these changes

@andrewkroh andrewkroh Awaiting requested review from andrewkroh

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@andrewstucki @webmat @urso @ruflin @james-elastic