Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Packetbeat] Events are produced with capitalized ECS fields like process.parent.Name #42108

Closed
andrewkroh opened this issue Dec 18, 2024 · 2 comments · Fixed by #42116
Closed
Labels
bug Packetbeat Team:Security-Linux Platform Linux Platform Team in Security Solution

Comments

@andrewkroh
Copy link
Member

Packetbeat is producing incorrectly named ECS fields. Specifically under process.parent the field attributes names are capitalized like process.parent.Name. The mappings for the network_traffic Fleet integration show:

json[".ds-logs-network_traffic.dns-default-2024.10.12-000009"].process.parent.Name = {};
json[".ds-logs-network_traffic.dns-default-2024.10.12-000009"].process.parent.Name.ignore_above = 1024;
json[".ds-logs-network_traffic.dns-default-2024.10.12-000009"].process.parent.Name.type = "keyword";
@andrewkroh andrewkroh added bug Packetbeat Team:Security-Linux Platform Linux Platform Team in Security Solution labels Dec 18, 2024
@elasticmachine
Copy link
Collaborator

Pinging @elastic/sec-linux-platform (Team:Security-Linux Platform)

@andrewkroh
Copy link
Member Author

andrewkroh commented Dec 18, 2024

This looks like a bug with the Packetbeat ECS event marshaler1. The problem can be replicated by modifying this test case:

diff --git a/packetbeat/pb/event_test.go b/packetbeat/pb/event_test.go
index 9765cc194b..dcb50e1648 100644      elastic/packaging_elastic_agent          libbeat/parquet                          
--- a/packetbeat/pb/event_test.go
+++ b/packetbeat/pb/event_test.go
@@ -32,6 +32,11 @@ import (
 func TestMarshalMapStr(t *testing.T) {
        f := NewFields()
        f.Source = &ecs.Source{IP: "127.0.0.1"}
+       f.Process = &ecs.Process{
+               Parent: &ecs.Process{
+                       Name: "Foo",
+               },
+       }
 
        m := mapstr.M{}
        if err := f.MarshalMapStr(m); err != nil {

I suspect the cause is that it is not recursing into the nested ECS structs when marshaling the struct into the map[string]any.

The generated ECS structs that the Packetbeat is currently using are unmaintained. We should move away from using that package, but this is separate concern.

Footnotes

  1. https://github.com/elastic/beats/blob/2fec2d91f06774cddb9b7b974d4a10144b0fd786/packetbeat/pb/event.go#L403

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Packetbeat Team:Security-Linux Platform Linux Platform Team in Security Solution
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants