Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[AWS Firehose] populate event.dataset field for ingested records #12750

Open
Kavindu-Dodan opened this issue Feb 12, 2025 · 0 comments
Open

[AWS Firehose] populate event.dataset field for ingested records #12750

Kavindu-Dodan opened this issue Feb 12, 2025 · 0 comments
Assignees
@Kavindu-Dodan
Labels
Team:obs-ds-hosted-services Label for the Observability Hosted Services team [elastic/obs-ds-hosted-services]

Comments

@Kavindu-Dodan
Copy link
Contributor

Kavindu-Dodan commented Feb 12, 2025
edited
Loading

Background

Firehose integration 1 utilizes several other AWS data streams added through AWS integration 2. Most of those integrations do not currently define event.dataset field (ex: see Cloudtrail fields3).

Problem

Other components rely on the existence of the event.dataset field. For example, consider the pre-build security rule 4. These rules will fail to work with current integration configurations as data lacks the required field.

Solution

Update integrations to add event.dataset where possible with correct constant values. For example, Cloudtrail should have event.dataset: aws.cloudtrail. This must get added through relevant AWS assets as Firehose internally perform rerouting ( for example see logs 5 and metrics 6)

Footnotes

  1. https://github.com/elastic/integrations/tree/main/packages/awsfirehose

  2. https://github.com/elastic/integrations/tree/main/packages/aws

  3. https://github.com/elastic/integrations/blob/main/packages/aws/data_stream/cloudtrail/fields/base-fields.yml

  4. https://www.elastic.co/guide/en/security/current/aws-iam-login-profile-added-to-user.html

  5. https://github.com/elastic/integrations/blob/main/packages/awsfirehose/data_stream/logs/routing_rules.yml

  6. https://github.com/elastic/integrations/blob/main/packages/awsfirehose/data_stream/metrics/routing_rules.yml

@Kavindu-Dodan Kavindu-Dodan added the Team:obs-ds-hosted-services Label for the Observability Hosted Services team [elastic/obs-ds-hosted-services] label Feb 12, 2025
@Kavindu-Dodan Kavindu-Dodan changed the title [AWS Firehose] populate event dataset field for ingested record [AWS Firehose] populate event dataset field for ingested records Feb 12, 2025
@Kavindu-Dodan Kavindu-Dodan changed the title [AWS Firehose] populate event dataset field for ingested records [AWS Firehose] populate event.dataset field for ingested records Feb 14, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Kavindu-Dodan Kavindu-Dodan

Labels
Team:obs-ds-hosted-services Label for the Observability Hosted Services team [elastic/obs-ds-hosted-services]
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Kavindu-Dodan