search

elastic / elasticsearch

Free and Open, Distributed, RESTful Search Engine
https://www.elastic.co/products/elasticsearch
Other
68.52k stars 24.33k forks source link

GeoIP Autonomous System Fields aren't returned in the Elastic Common Schema structure #109951

Open berglh opened 1 week ago

berglh commented 1 week ago

Description

I've had a quick search through the issues and couldn't find anything related, and not sure if this is a feature request or a bug.

I have just noticed that when using the GeoIP filter with the GeoLite2-ASN.mmdb look-up that the returned values are in the structure

            "as": {
              "asn": 1234,
              "organization_name": "My Org Name"
            },

This doesn't match the Elastic Common Schema for Autonomous System Fields.

            "as": {
              "number": 1234,
              "organization": {
                "name": "My Org Name"
              }
            },

This doesn't seem to impact geo City/Country databases, and it's not clear that this is something that happens in the GeoIP processor documentation. I haven't closely reviewed this, but visually seems to be the case.

I assume the processor just returns the results from the lookup DB and doesn't touch the structure.

I've now arrived in the state that in our indices we have the ECS AS fields which are empty, and the fields returned by the ASN DB in fields not described by the ECS component templates. Obviously, this is my own fault for not validating this initially, but I feel like we should make it easy for users to conform to the Elastic Common Schema given the benefits.

I propose this should be addressed in one of the following ways;

  1. Add a setting in the GeoIP to store fields in the ECS structure (non-default, non-breaking but requires clarity in documentation)
  2. Return the ASN payload in ECS structure (breaking existing pipelines, undesirable but correct for ECS users)
  3. Make it clear in the GeoIP processor documentation that the ASN payload is not in the Elastic Common Schema (better than no action). Offer example rename processors to put the values in the ECS structure.
  4. Adjust ECS to use the structure in the GeoLite2 DB (undesirable, goes against the idea of ECS being additive)
elasticsearchmachine commented 1 week ago

Pinging @elastic/es-data-management (Team:Data Management)