Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Ingest Manager] Prevent reporting ecs version twice #21616

Merged
merged 4 commits into from
Oct 19, 2020
Merged

[Ingest Manager] Prevent reporting ecs version twice #21616

Changes from 1 commit
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
7c62949
prevent reporting ecs version twice
michalpristas Oct 7, 2020
b19b4d9
Merge branch 'master' of github.com:elastic/beats into agent-ecs-version
michalpristas Oct 13, 2020
3981233
changelog
michalpristas Oct 13, 2020
2065ce2
Merge branch 'master' into agent-ecs-version
michalpristas Oct 19, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 0 additions & 1 deletion x-pack/elastic-agent/pkg/core/monitoring/beats/beats_monitor.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -113,7 +113,6 @@ func (b *Monitor) EnrichArgs(process, pipelineID string, args []string, isSideca
logFile = fmt.Sprintf("%s-json.log", logFile)
appendix = append(appendix,
"-E", "logging.json=true",
"-E", "logging.ecs=true",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am confused? If this is removed then what is added the ecs.version to the events?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

confused as well i'm still looking, but i think this is not ideal place to fix, need to play with it a bit more

Copy link
Contributor Author

@michalpristas michalpristas Oct 7, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One ECS is probably comming from processing pipeline (look for WithECS) and additional one we were adding when logging.

This is why i see 2 versions 1.5.0 and 1.6.0. 1.6.0 is coming from publishing pipeline and version is set in libbeat.
1.5.0 is coming from logp as it is hardcoded there.

And as i dont want to alter publishing pipeline and libbeat code, this seems like a good place for a fix after all.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it's a problem with logp, that version should be centralized. WDYT @urso

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, that explains why. Agent is already adding the ecs fields in the log, then filebeat is adding it again.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does enabling the ecs flags do more than just adding the version?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i compared event with ecs enabled and without ecs and they differed in version, host and agent stayed there

"-E", "logging.files.path="+loggingPath,
"-E", "logging.files.name="+logFile,
"-E", "logging.files.keepfiles=7",
Expand Down