Try out constant_keyword value fields in system log integrations

[fearful-symmetry]

What does this PR do?

This is a draft PR to test out the changes discussed here: https://github.com/elastic/security-team/issues/780
This is an addition based on the spec changes here: elastic/package-spec#194

This probably won't pass CI or anything now, as we're also waiting for this: elastic/elastic-package#386

This PR adds the value field to constant_keyword fields in the base yaml files.

Checklist

• I have verified that all data streams collect metrics or logs.
• I have added an entry to my package's changelog.yml file.
• If I'm introducing a new feature, I have modified the Kibana version constraint in my package's manifest.yml file to point to the latest Elastic stack release (e.g. ^7.13.0).

[elasticmachine]

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Build Cause: Pull request #1211 updated

• Start Time: 2021-06-29T16:21:33.555+0000

• Duration: 11 min 13 sec

• Commit: 64cac9f

Test stats 🧪

Test	Results
Failed	0
Passed	266
Skipped	0
Total	266

Trends 🧪

[peluja1012]

Hi @fearful-symmetry, thanks for opening up this PR! From the Security Solution side, the most important piece is for this integration to populate both event.dataset and event.module. The idea, as described here, was that integrations, such as this one, could populate values for these fields by defining them as constant_keyword and then setting the value in the index mapping. I'm not too familiar with this codebase, but in this PR I don't see any changes related to event.dataset or event.module. If values for these fields are already being set somewhere else, then we're probably ok. But otherwise, we may need to make other updates here or somewhere else.

[andrewkroh]

Thanks for setting up a test. I merged support for the value field into Kibana so after we get some new snapshots I expect this should work. elastic/kibana#103000

[fearful-symmetry]

Figured I'd get the fields mixed up. Let's try that.

[fearful-symmetry]

@andrewkroh do we want to manually set the value for event.dataset or use some kind of alias?

[ruflin]

This is a nice addition we likely should add anywhere. @mtojek I remember we had some discussion around this in the past, maybe there is even an issue for it. Later on we should make sure it is in sync with the type in the manifest.

[mtojek]

Are you referring to validation only? If so, then I understand that this property will ALWAYS be in sync with the type (any overriding forbidden)?

[ruflin]

Yes, can't think of a use case where the two would not be in sync.

[ruflin]

Nit: Can we move event.dataset and event.module to the bottom to have it together as one block? Like this the diff is also cleaner to only have an addition on the bottom, assuming we leave out the changes for value in data_stream.*

[mtojek]

Please update the changelog and version in the package manifest.

CI complains about formatting and Git conflicts.

[ruflin]

For reference, here the two related issues: #226 elastic/kibana#66551

[mtojek]

nit: should be uppercase

[mtojek]

@ruflin shouldn't this field be removed?

[mtojek]

@ruflin shouldn't this field be removed? I think we replaced it with data_stream

[mtojek]

@ruflin same here

[fearful-symmetry]

Alright, everything should be updated now. Just depends on what we want to do with the value in the data_stream objects that I added because I was confused, as well as data_stream.type

[fearful-symmetry]

A tad confused by the CI failures, since ep check -v seems happy when I run it locally.

[fearful-symmetry]

...helps if I update elastic-package

[peluja1012]

Should this say event.dataset instead of event.datastream?

[fearful-symmetry]

Good catch!

[mtojek]

Could you please make sure that dataset.* are not required anymore and clean them? I saw some in https://github.com/elastic/integrations/blob/27d37a116d765c32cccbbfd4f0773e563aed093c/packages/system/data_stream/security/fields/base-fields.yml .

[fearful-symmetry]

Could you please make sure that dataset.* are not required anymore and clean them?

@mtojek that's one of the things I'm not clear on. What uses dataset.*? I'm not really sure if it's safe to remove.

[fearful-symmetry]

Okay, so it just now occurred to me that when you said "required anymore" you were probably referring to the dashboards & saved searches. If that's the case, no, nothing is using them.

[mtojek]

LGTM