Spring boot package [Audit events - data stream] #2977
Conversation
💚 Build Succeeded
Expand to view the summary
Build stats
Test stats 🧪
🤖 GitHub commentsTo re-run your PR in the CI, just comment with:
|
|
Pinging @elastic/integrations (Team:Integrations) |
| - name: spring_boot | ||
| type: group | ||
| fields: | ||
| - name: auditevents |
There was a problem hiding this comment.
This is inconsistent with the data_stream name.
There was a problem hiding this comment.
@sunny-elastic can you use the data stream name here?
...g_boot/data_stream/audit_events/_dev/test/pipeline/test-auditevent-metrics.log-expected.json
Show resolved
Hide resolved
| fields: | ||
| - name: remote_address | ||
| type: keyword | ||
| description: Remote Address of the Spring Boot application |
There was a problem hiding this comment.
Remote address of the application or user?
There was a problem hiding this comment.
As this field got extracted from event.original as we addressed in previous comment. And this looks remote address of user.
There was a problem hiding this comment.
Just to be sure, could you please double-check it with Spring docs or source code? Usually, you don't collect server IP address, but user IP, hence I'm confused.
There was a problem hiding this comment.
yes its user ip address and not the server ip address.
| description: Remote Address of the Spring Boot application | ||
| - name: session_id | ||
| type: keyword | ||
| description: Session ID of the Spring Boot application |
There was a problem hiding this comment.
Session ID of user or application?
There was a problem hiding this comment.
As this field got extracted from event.original as we addressed in previous comment. And this looks session id of user
There was a problem hiding this comment.
If this field concerns the user, let's rephrase the description accordingly.
| description: Session ID of the Spring Boot application | ||
| - name: principal | ||
| type: keyword | ||
| description: Restricts the events to those with the given principal |
There was a problem hiding this comment.
Could you please rephrase it? I'm not sure that I understand what is this field about.
There was a problem hiding this comment.
So here this principal is basically referring to the user. and those remote address and session id fields for that specific principal that is user.
| "spring_boot": { | ||
| "audit_events": { | ||
| "data": { | ||
| "session_id": "192.168.32.6" |
There was a problem hiding this comment.
Why session ID is IP address? Did you dump this event or prepared manually?
| fields: | ||
| - name: remote_address | ||
| type: keyword | ||
| description: Remote Address of the Spring Boot application |
There was a problem hiding this comment.
Just to be sure, could you please double-check it with Spring docs or source code? Usually, you don't collect server IP address, but user IP, hence I'm confused.
|
@mtojek yes remote_address refer to the user ip address and not the server ip address. |
|
Thanks for checking this. Could you please post a link to the documentation or Spring Boot source, in case somebody in the future will have similar concerns? |
yeah sure. so here are few links for spring boot documentation for audit events |
| @@ -0,0 +1,3 @@ | |||
| dependencies: | |||
| ecs: | |||
| reference: [email protected] | |||
There was a problem hiding this comment.
I think you can update it to 8.1, as you're setting the ecs.version in the pipeline to 8.1.0.
There was a problem hiding this comment.
Done. fixed. Thanks!
What does this PR do?
Checklist
changelog.ymlfile.manifest.ymlfile to point to the latest Elastic stack release (e.g.^8.0.0).How to test this PR locally
Note: We have covered dashboards and the visualisations for all data streams of spring boot into separate PR. Also Kibana version will be updated to 8.1.0 in manifest.yml after testing this integration on 8.1.0.