Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Winlogbeat] Move addition of event.ingested field from the modules' pipelines to the winlogbeat-routing pipeline #30516

Closed
herrBez opened this issue Feb 22, 2022 · 3 comments · Fixed by #30569
Closed

[Winlogbeat] Move addition of event.ingested field from the modules' pipelines to the winlogbeat-routing pipeline #30516

herrBez opened this issue Feb 22, 2022 · 3 comments · Fixed by #30569
Assignees
@efd6
Labels
enhancement Winlogbeat

Comments

@herrBez
Copy link
Contributor

herrBez commented Feb 22, 2022
edited
Loading

Describe the enhancement:

Move addition of ecs field event.ingested from the modules' pipelines (sysmon, security, powershell and powershell_operational) pipelines to the winlogbeat-{{agent.version}}-routing pipeline.

Describe a specific use case for the enhancement or feature:

  • As an Elasticsearch user I want all indices to be ECS-compliant
  • As an Elasticsearch user I want to see the latency between the event on the original machine (@timestamp), generation of the event in winlogbeat (event.created) and the arrival to elasticsearch (event.ingested)
  • As a Kibana user I may want to create index-patterns based on event.ingested instead of @timestamp

References

See #29435 for additional details
@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Feb 22, 2022
@elasticmachine
Copy link
Collaborator

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Feb 23, 2022
@andrewkroh
Copy link
Member

That sounds like a good idea so that it can enrich events with event.ingested that are not handled by specific pipelines.

@andrewkroh
Copy link
Member

This depends on #30406. We need the integration tests in place first. Currently the pipelines are clones from Fleet and are tested there. But if we are going to be making modifications then we need those tests in place.

@efd6 efd6 mentioned this issue Feb 23, 2022
Merged
3 tasks
@efd6 efd6 self-assigned this May 17, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@efd6 efd6

Labels
enhancement Winlogbeat
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

x-pack/winlogbeat: move event.ingested setting to routing efd6/beats
4 participants
@andrewkroh @herrBez @elasticmachine @efd6