[Elastic Agent] Add a new Custom Filestream integration #5370
Comments
pierrehilbert
added
the
Team:Elastic-Agent-Data-Plane
|
Pinging @elastic/elastic-agent-data-plane (Team:Elastic-Agent-Data-Plane) |
|
@nimarezainia Should this issue be moved to the https://github.com/elastic/integrations/ repo as that's where the custom log integration is defined? |
No I believe that this is owned by the data plane team. (fyi @flexitrev ) |
|
Linking these here for record keeping: elastic/integrations#4609 |
|
Could we migrate the Custom Logs integration to use Filestream instead? We have the take-over mode in Filestream that is capable of getting the state from a file being harvested by the Log input and use it in the Filestream input, the only thing missing is an automated way to convert the configuration (specially the custom configuration field). It might also need some extra work because the way the Elastic-Agent divides the integrations per input type when starting component.s Just adding a new integration might make it harder to migrate the state and confusing for users finding both when searching. |
We could, but it is a lot more work, in addition to what you mentioned it is blocked by: Creating a new integration at least stops new instances of the deprecated input being used with low effort. The migration problem should still be solved but it doesn't need to block creating a filestream based integration given how long solving migration correctly is likely to take. |
Do you mean reverting it? That's an option and it's an interesting starting point. My first idea was to just copy the Custom Logs integration, edit it to use filestream and update the docs, but I can start from reverting this PR as well. |
|
elastic/integrations#4609 was using a package spec version of 1.0.0 so there might be some changes required. |
|
Folks, I create a draft PR, there are I'd like your opinion on (@nimarezainia, @jlind23) Currently I'm using fingerprint as the only option and allowing to configure the offset and length. I believe that is the best option because this is the file identity we implemented to solve the issues we were having with inode reuse and the one we recommend to our users. The reason I did not add any of the other ones is because while I can define a variable/input field as a selection from a list, the template language used is somehow limited and there is no way to use this selection values to render the correct policy. Having all options a boolean/toggle is very confusing because only one can be used at a time. I asked on slack for some suggestions/help, if there is a way 2. Which name do we want for the integration? I was thinking about something like "Custom Logs V2","Custom Logs enhanced", something that makes it clear this one should be used instead of the "Custom Logs". 3. Is there any preference for the initial version? 4. When do we need to release the first version? |
If people want to use the take over mode to migrate from custom logs one day, do we want to give them the option to do that with the same file identity? I think this might actually be a requirement of the take over mode (once it actually works for Elastic Agent). |
IIRC we spoke with @nimarezainia and @strawgate about renaming "Custom logs" to "Custom logs (Legacy)" so naming this one "Custom Filestream Logs" would make sense. |
Would this rename happen at the same time/version where we release the Custom Filestream logs? |
That makes sens. Then we need to find the best way to help users not to create an invalid configuration for their Filestream integration. I'll look into this. |
Once the Custom Filestream logs integration is published we would have to create a new PR that will update the Custom Log title, yes. |
@belimawr Regarding configurations available: all the options available to configure filestream should be configurable. e need to accommodate a user migrating from Custom Logs integration to Custom Filestream Logs. |
I did some testing and looked at the code for the take over mode, currently it only works if the file identity used is the same for the log and filestream inputs.
@nimarezainia, I made all configurations available, however for the file_identity I only added an option for fingerprint. My reasoning is:
Here is how this part of the configuration looks like: |
|
@belimawr don't think about it too much :-) - file identity is fine. We can capture requirements if they come up. |
The fingerprint identity will be enabled by default, right? |
At the moment it's not on the draft PR, but that's a very good point, I'll enable it by default. |
|
https://www.elastic.co/guide/en/beats/filebeat/current/multiline-examples.html Will the parsers section be included to configure multiline messages? |
Yes, the parsers will be there, the goal is to support all configuration options from Filestream. |
Our current Custom log integration is based on the log input which is now being deprecated. We therefore need to introduce a Custom Filestream integration so users can migrate over to using this integration instead.
The text was updated successfully, but these errors were encountered: