-
Notifications
You must be signed in to change notification settings - Fork 40
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
need a solution for conflicts between ECS specified fields and user-logged fields #68
Comments
Yes, for example, these log statements:
yielding (currently) these log records:
result in this in the filebeat log:
Or, for short:
|
In Kibana's logging system, we use TypeScript to prevent situations like this (we have a set of typedefs for ECS exposed from core). TS will prevent folks from providing any values that aren't ECS-compliant when logging something from Kibana, but they can still override this via a generic type parameter that extends from ECS: logger.warn('some message', { ...some ECS-compliant metadata });
interface MyCustomMeta extends Ecs {
customField: boolean;
}
logger.warn<MyCustomMetadata>('some message', { customField: true, ...some ECS-compliant metadata }); Of course, this only works for us because most of Kibana is already written in TypeScript, and it probably doesn't make sense for a lib like ecs-logging.
We've discussed moving in this direction eventually as well. Kibana's audit logging implementation currently uses a dedicated |
It's a tricky one. I think we don't want to penalize legitimate use cases of adding ECS-compliant additional properties, such as To make constructing ECS-compliant objects easier, we could generate ECS TypeScript interfaces. But ideally, we'd still allow adding arbitrary structured metadata to logs. Conflicts are definitely a concern, however. Maybe we could map dynamic fields as |
Per @trentm moving #97 here as additional requirements: I noticed when I was working with the ECS NodeJS loggers that Metadata fields weren't name spaced. I can see one of three scenario's:
Here's an example configuration: const logger = winston.createLogger({
format: ecsFormat(),
level: "debug",
defaultMeta: {
defaultMeta: {
'environment': 'dev'
}
},
transports: [
new winston.transports.Console()
]
}) and a resulting output: {
"@timestamp": "2021-08-20T15:43:32.147Z",
"log.level": "debug",
"message": "Example with the default Meta Data fields.",
"ecs": {
"version": "1.6.0"
},
"environment": "dev"
} |
I have recently been thinking about this again and have discussed with other teams within Elastic. Here's what we came up with:
I think this would reconcile the requirements to easily add custom fields but avoid conflicts and data loss. Adding typescript types for ECS is still a good idea but orthogonal. |
Also related: elastic/elasticsearch#88777 |
I'm a user who stumbled on this thread after implementing a number of ECS fields in my logs using ecs-format-pino and a Pino mixin to expand the fields and handle some that do not work out of the box in my case, an AWS Lambda application. This includes fields such as From what I see in the source ecs-logging-nodejs/loggers/pino/index.js Lines 185 to 186 in 08cbec4
Before I proceed any further I wanted to ask whether users should not be implementing ECS fields on their own, when using this library? Or we should do so only if accepting the risk that logs may not be ingested due to a conflict? I'm unsure what the conflict would be exactly with the above handling though. Seems like something that should be in the docs. In my case I am tempted to derive my own formatter from this project to avoid any possibility of conflict while being able to enrich our logs with as much ECS metadata as we can. From what has been discussed in this thread it appears that the original intent of this library was to abstract ECS away. |
@pushred This library hasn't made a clear decision on this. I think -- it has been a while, I'd have to look again -- some of the Currently the ecs-logging-nodejs formatters are punting on the problem: while they attempt to be careful when they add fields to (a) follow the ECS schema and (b) not blow away any data added by the user; there is still the issue that if a user adds, say, Punting on the issue is poor. I haven't had a chance for a while to wade back into this and try to decide whether these formatters should:
|
Got it, thanks for the update and summary. In my case I was forced to add some fields — For these fields that can be populated when |
ECS specifies a lot of top-level fields. Currently the node.js ecs-logging loggers in this repo do not, in general, deal with conflicts between a user-specified field and the ECS specified field types, e.g.:
If there is a conflict, my understanding is that the log record(s) will fail to be imported into Elasticsearch. I'm not sure if that shows up in filebeat logs, but it is certainly downstream of the app doing the logging.
We need a solution for this. Some early thoughts:
We could just document the issue and not deal with conflicts in the library. This is somewhat what the ecs-logging docs say about custom fields. Having the logging libraries work through all logged custom fields and guarding against conflicts isn't practical: it would be expensive/slow and brings up the question of whether to move or drop conflicting fields (silently or with warnings) or make that configurable.
Leaving it to the user of the ecs-logging lib can be onerous on the user. Some users, more engaged with ECS, might be happy to take on the burden of handling ECS fields. Most users, probably not. The case is more of a problem with proposed/possible automatic configuration of an apps logging to do ecs-logging. In this case the app developer may not be involved, so definitely cannot accept the responsibility of using ECS-conformant fields.
Another option would be to have the node.js ecs-logging libs put all user-provided fields under a
labels: {...}
orcustom: {...}
namespace. I vaguely recall that the .NET ecs-logging libs do this (not sure which name they use).Another option would be to have a configurable mode for that. At least for node.js ecs-logging libs that would provide a migration path from the current v1.x versions that do not do namespacing.
The text was updated successfully, but these errors were encountered: