search

elastic / beats

:tropical_fish: Beats - Lightweight shippers for Elasticsearch & Logstash
https://www.elastic.co/products/beats
Other
12.15k stars 4.91k forks source link

Beats configuration "dotted" keys issue #27079

Open aleksmaus opened 3 years ago

aleksmaus commented 3 years ago

It looks like the "dotted" keys are not supported in the configuration as of July 27th, 2021.

Trying to introduce the ecs_mapping for osquery_manager integration.

The data stream template (stream.yml.hbs) looks like this:

query: {{query}}
{{#if interval}}
interval: {{interval}}
{{/if}}
id: {{id}}
{{#if platform}}
platform: {{platform}}
{{/if}}
{{#if version}}
version: {{version}}
{{/if}}
{{#if ecs_mapping}}
ecs_mapping:
{{#each ecs_mapping}}
   '{{@key}}':
      {{#each this}}
         '{{@key}}': {{this}} 
      {{/each}}
{{/each}}
{{/if}}

Submitting the integration configuration payload with ecs_mapping that looks like the following:

....
                        "ecs_mapping": {
                            "value": {
                                "user.custom.shoeSize": {
                                    "value": 45
                                },
                                "user.id": {
                                    "field": "uid"
                                },
                                "user.name": {
                                    "field": "username"
                                }
                            }
                        }
....

Kibana renders the stream configuration with ecs_mapping like the following

    streams:
      - id: users
        data_stream:
          dataset: osquery_manager.result
          type: logs
        query: select * from users limit 2
        interval: 60
        ecs_mapping:
          user.custom.shoeSize:
            value: 45
          user.id:
            field: uid
          user.name:
            field: username

The agent receives the ecs_mapping blob correctly as JSON

{
    "ecs_mapping": {
        "user.custom.shoeSize": {
            "value": 45
        },
        "user.id": {
            "field": "uid"
        },
        "user.name": {
            "field": "username"
        }
    }
}

The beats configuration YAML update is "broken", the beat received the configuration where the keys with dots are unwrapped into the nested YAML tree:

    ecs_mapping:
      user:
        custom:
          shoeSize:
            value: 45
        id:
          field: uid
        name:
          field: username

Expecting the keys with dots to be preserved as is and the original structure of the document to be unchanged (flat mapping document with the dotted keys".

elasticmachine commented 3 years ago

Pinging @elastic/agent (Team:Agent)

ruflin commented 3 years ago

@michalpristas @blakerouse @urso I assume this building of the tree somewhere happens between Elastic Agent when the config is shipped down to the process. Maybe go-ucfg is applying some magic here? Is there a reason we "dedot" configs?

aleksmaus commented 3 years ago

go-ucfg

looks like default options use ucfg.PathSep(".") which will split the key

ruflin commented 3 years ago

I wonder if we should disable this in general. Maybe worth trying to remove it and see what happens? Otherwise we could just disabled it for osquerybeat?

blakerouse commented 3 years ago

I don't think we can just remove it. It would break parsing other parts of the elastic-agent.yml.

aleksmaus commented 3 years ago 
{
        "foo.bar": {
            "value": 45
        }
        "foo": {
            "bar": {
                "value": 23
            }
        }
}

so with the JSON like this for example we will loose some values after converting to YAML? the last one wins? I understand the compatibility issues with existing yaml configuration. but does it have to be yaml a year from now for example? maybe a config format can be a part of the spec? this possibly would allow to skip yaml conversion for the beats/apps that can consume JSON configuration as is. just thinking out loud.

ruflin commented 3 years ago

@aleksmaus Did we ever make progress on this issue? How did you solve it?

aleksmaus commented 3 years ago

@aleksmaus Did we ever make progress on this issue? How did you solve it?

as far as I understood from the replies that this can't be easily fixing without breaking backwards compatibility. we just adopted what we get in osquerybeat in this particular case, and flattened the tree in osquerybeat code.

javabrett commented 2 years ago

I wonder if I've hit a variant of this issue - my case is different in that I'm just starting with a Beats metricbeat module prometheus configuration, as module configuration in YAML only, so no JSON. I guess the config file is still processed by ucfg with ucfg.PathSep("."), and this is preventing me from expressing config keys which contain a .:

- module: prometheus
  period: 60s
  hosts: ["https://endpoint.with.https:443"]
  metricsets: ["query"]
  queries:
  - name: export
    path: /path/to/export
    params:
      foo.bar: baz
  username: "someuser"
  password: "somesecretpassword"

... results in a bad interpretation of key foo.bar resulting in a query https://endpoint.with.https:443/path/to/export?foo=map%5Bbar%3Abaz%5D or decoded, foo=map[bar:baz].

Are there any known escaping or quoting workarounds for this?

Also posted to https://discuss.elastic.co/t/how-can-i-represent-a-config-key-containing-a-dot-period-full-stop/301907

elasticmachine commented 2 years ago

Pinging @elastic/elastic-agent-data-plane (Team:Elastic-Agent-Data-Plane)

botelastic[bot] commented 1 year ago

Hi! We just realized that we haven't looked into this issue in a while. We're sorry!

We're labeling this issue as Stale to make it hit our filters and make sure we get back to it as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1. Thank you for your contribution!

aleksmaus commented 1 year ago

My memories are vague about this issue, it's been awhile. I think for osquerybeat we "worked around" this limitation. Could potentially be closed.

ruflin commented 1 year ago

I think the problem that how the configs are treated is not always the same still persists. @joshdover Reminds me of the standalone elastic agent experience where dots sometimes work and sometimes don't.

bartoszcisek commented 1 year ago

This issuer might be related to escaping URLs in query argument https://github.com/elastic/elastic-agent/issues/3421

botelastic[bot] commented 1 week ago

Hi! We just realized that we haven't looked into this issue in a while. We're sorry!

We're labeling this issue as Stale to make it hit our filters and make sure we get back to it as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1. Thank you for your contribution!