Skip to content

Latest commit

 

History

History
101 lines (63 loc) · 5.31 KB

0017-remove-log-original.md

File metadata and controls

101 lines (63 loc) · 5.31 KB
Raw

0017: Remove log.original

  • Stage: 2 (candidate)
  • Date: 2021-04-28

This RFC supersedes issue #841 which implies breaking changes therefore the RFC Process is indicated.

The request is to consolidate log.original and event.original by removing log.original, since these are almost equivalent in nature. (One) justification for preserving event.original is that not all events are logs. Once log.original is removed, event.original will be the sole field intended to capture the original untouched event.

Fields

Field Set Field(s)
log log.original
event event.original

  • The internal description of the field log.original in log should be amended by addition of a notice of deprecation and subsequently removal if/when Deprecation progresses to Removal

  • The internal description of the field event.original in event should be updated to reflect the revised scope

  • The extended description of log.original in the Log Fields documentation should be amended by addition of a notice of deprecation and subsequently removal if/when Deprecation progresses to Removal

  • The extended description of event.original in the Event Fields documentation should be amended to clarify the absorption of log.original

Usage

The following examples are taken verbatim from the existing field definitions and are included for completeness.

These are the raw texts of entire events, for example a log message. They differ from the extracted message field in that no processing has been applied and the field is not indexed by default. The field can still be retrieved from _source and is well-suited to demonstration of log integrity or in a re-index pipeline.

Source data

Any or all incoming log or event messages when the original value of the event needs to be preserved.

{"event.original": "Sep 19 08:26:10 host CEF:0|Security|
          threatmanager|1.0|100|
          worm successfully stopped|10|src=10.0.0.1
          dst=2.1.2.2spt=1232"}

{"event.original": "Sep 19 08:26:10 localhost My log"}

Scope of impact

Beats modules, Agent integration packages and the Logging UI would be required to migrate if this change is adopted as proposed.

The removal of log.original will be considered a breaking change since the field is being removed from the schema. Possible migration/mitigations for users impacted may include:

  • The Beats default fields inclusion list list should be updated by removing log.original if/when Deprecation progresses to Removal

  • The logs UI message column currently displays log.original in the absence of a message field. This should be updated to use event.original as the substitute field. See builtin_rules and associated test.

  • References in the RAC Rule Registry will need to be removed - these have required: false so hopefully non-breaking change.

  • Multiple tests in Kibana will need to be updated see e.g. Function Test APM Mapping

  • TBD would it be beneficial to alias log.original for current users of this field

  • TBD if there exist current users of fields with distinct content/meaning in a common index mapping

Concerns

As a breaking change, this would require timely communication to the Elastic Community.

People

The following are the people that consulted on the contents of this RFC.

  • @djptek | author
  • @ebeahan | sponsor
  • @andrewkroh | Beats & Logging UI
  • @jasonrhodes | Logging UI & RAC
  • @MikePaquette | RAC

References

RFC Pull Requests