search

elastic / integrations

Elastic Integrations
https://www.elastic.co/integrations
Other
194 stars 422 forks source link

[Elasticsearch]: Mapping conflict with Audit logs #10590

Open s7ryph opened 1 month ago

s7ryph commented 1 month ago

Integration Name

Elasticsearch [elasticsearch]

Integration Version

1.13.1

Agent Version

8.11.0

Agent Output Type

elasticsearch

Elasticsearch Version

8.11.1

OS Version and Architecture

RHEL 7.9

Software/API Version

No response

Error Message

No response

Event Original

No response

Anything else?

Integration does not have the mapping defined for the host labels and the host.ip is being created as a keyword field instead of IP.

andrewkroh commented 1 month ago

Only 3 of 18 data streams in the elasticsearch integration have mappings for host.ip.

{"name":"host.ip","type":"ip","description":"Host ip addresses.","external":"ecs","source":{"path":"packages/elasticsearch/data_stream/gc/fields/ecs.yml","line":25,"column":3}}
{"name":"host.ip","type":"ip","description":"Host ip addresses.","external":"ecs","source":{"path":"packages/elasticsearch/data_stream/deprecation/fields/ecs.yml","line":31,"column":3}}
{"name":"host.ip","type":"ip","description":"Host ip addresses.","external":"ecs","source":{"path":"packages/elasticsearch/data_stream/server/fields/ecs.yml","line":31,"column":3}}

Under Elasticsearch >=8.13.0 this should be fixed because all data streams will have a new ecs@mappings component template that has dynamic mappings for ECS fields.