[Elastic Agent] Logs from Elastic-Agent and sub process do not have all fields mapped correctly

[belimawr]

• Blocked by Rename log.source in the agent logs to avoid mapping conflicts with existing uses of log.source.address elastic-agent#2857

• Version: 8.8.1

• Operating System: Linux, but I believe it affects all OSs
  - Discuss Forum URL:

Steps to Reproduce:

1. Create a Cloud 8.8.1 deployment

2. Create a policy with: monitoring enabled, system integration and Custom Logs

3. Deploy Elastic-Agent

4. Go to Kibana, expand some of the log entries from Elastic-Agent

5. log.source and component.dataset do not have any mapping

   Screenshot

   

Tasks

Preview Give feedback

1. Rename log.source in the agent logs to avoid mapping conflicts with existing uses of log.source.address elastic-agent#2857
   Team:Elastic-Agent bug +2
2. Introduce mapping for component.*

[cmacknz]

This can be fixed in the elastic_agent integration, we map a subset of the component fields today. Likely this was just forgotten because the agent itself is in a separate repository from this integration.

integrations/packages/elastic_agent/data_stream/elastic_agent_logs/fields/fields.yml

Lines 29 to 53 in 8c68f89

	- name: component
	type: group
	description: Agent component that the log message is about, only available on Elastic Agent 8.6.0+
	fields:
	- name: id
	type: wildcard
	ignore_above: 1024
	description: Component id
	- name: type
	type: keyword
	ignore_above: 1024
	description: The type of the component
	- name: binary
	type: keyword
	ignore_above: 1024
	description: The binary that exeuctes the component
	example: filebeat
	- name: state
	type: keyword
	ignore_above: 1024
	description: Current component health
	- name: old_state
	type: keyword
	ignore_above: 1024
	description: Previous component health

[andrewkroh]

We need to be careful about mapping log.source because there are a bunch of integrations are using log.source.address.

ECS should probably be updated to have a place for the log.source.* data. I mentioned this in elastic/beats#34371 (comment).

[cmacknz]

It might be simpler for agent to rename log.source to log.source.name or something so that log.source can stay an object with an official mapping for log.source.address. Agent doesn't map it and its only been around since 8.6.x.

[cmacknz]

I've created elastic/elastic-agent#2857 and marked it as blocking this issue.

[belimawr]

It seems some of the "new" fields introduced in 8.6 are missing mapping in some indexes, which causes some very odd behaviours when filtering data. Here is an example of this odd behaviour: elastic/kibana#159371

And an example of indexes missing mapping for component.id:

GET logs-*/_mapping/field/component.id

# results in the following
{
  ".ds-logs-enterprise_search.api-default-2023.06.14-000001": {
    "mappings": {}
  },
  ".ds-logs-elastic_agent-default-2023.06.14-000001": {
    "mappings": {
      "component.id": {
        "full_name": "component.id",
        "mapping": {
          "id": {
            "type": "wildcard",
            "ignore_above": 1024
          }
        }
      }
    }
  },
  ".ds-logs-enterprise_search.audit-default-2023.06.14-000001": {
    "mappings": {}
  },
  ".ds-logs-elastic_agent.filebeat-default-2023.06.14-000001": {
    "mappings": {}
  },
  ".ds-logs-generic-default-2023.06.14-000001": {
    "mappings": {}
  },
  ".ds-logs-elastic_agent.metricbeat-default-2023.06.14-000001": {
    "mappings": {}
  }
}

[cmacknz]

We can fix all of the component field mappings without waiting for the log.source rename, they are separate problems. We just shouldn't map log.source until we rename it to avoid even more mapping conflicts than we already have.

[belimawr]

I added a task list to the main description so we can better keep track of the fields needing mapping.

[botelastic]

Hi! We just realized that we haven't looked into this issue in a while. We're sorry! We're labeling this issue as Stale to make it hit our filters and make sure we get back to it as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1. Thank you for your contribution!

[agmic]

👍