[new integration] Backstage audit logs#19408
Conversation
Elastic Docs Style Checker (Vale)Summary: 2 suggestions found 💡 Suggestions (2): Optional style improvements. Apply when helpful.
The Vale linter checks documentation changes against the Elastic Docs style guide. To use Vale locally or report issues, refer to Elastic style guide for Vale. |
This comment has been minimized.
This comment has been minimized.
…5-backstage-audit-integration
Replace scaffold placeholder icon/screenshot with the real Backstage icon, remove the stray package-root sample_event.json (belongs under the data stream instead), and correct the root manifest's Kibana version constraint from an overly narrow pinned version to the current package standard.
Replace the placeholder link with the real pull request URL.
…ield cleanup - Set event.kind/category/type as proper ECS arrays via append, and derive event.outcome from the Backstage audit status (initiated -> unknown, succeeded -> success, failed -> failure). - Guard the isAuditEvent drop check with null-safe navigation so events without a parsed json object are dropped cleanly instead of throwing. - Map the actor's IP to the primary ECS source.ip field (in addition to related.ip for correlation) rather than only ever appending it to related.ip. - Remove processors left over from earlier refactors that no longer do anything: two dead `remove` steps targeting field paths that never exist (json.user_agent, json.message) and a third that became dead once the actor IP is now consumed by a rename into source.ip. - Add ignore_missing to renames that would otherwise throw if their source field is ever absent on a valid audit event. - Split fields/agent.yml into agent.yml (Elastic Agent metadata) and beats.yml (Filebeat-emitted fields), matching the convention used by other filestream-based packages. - Add fields/ecs.yml declaring every ECS field the pipeline sets (event.kind/category/type/outcome/severity/action/provider/code, log.level, url.*, user_agent.original, user.id, related.*, http.request.method, source.ip) so they resolve correctly and show up in the generated documentation. - Drop backstage.plugin (superseded by event.provider) and fix the backstage.meta description to reference the field path the pipeline actually populates (backstage.query.*, not backstage.audit.query.*).
… vars - Fix a stray leading space before prospector.scanner.symlinks that broke the rendered YAML for every deployment (follow.symlinked_files defaults to true, so this key was emitted by default). - Correct the paths variable's default from /var/logs/*.log (plural) to /var/log/*.log, matching standard convention and this package's own docker-based system test deployment. - Add exclude_files, parsers, and follow.symlinked_files stream vars so the template's corresponding Handlebars blocks are backed by real, documented manifest variables.
Replace real-looking hostnames, internal IPs, and identifiers in the pipeline test log with RFC 5737 documentation IPs and example.com/ example.internal placeholders. Add test-common-config.yml so every pipeline test fixture exercises the preserve_original_event tag, matching the retention behavior configured in the pipeline. Regenerate the expected pipeline output to match the current pipeline and anonymized input.
- Correct event.module -> event.provider in the doc template's plugin correlation guidance, matching the field the pipeline actually populates. - Fix the doc template's hardcoded paths default to /var/log/*.log. - Remove an incomplete sentence fragment left over from an earlier edit. - Regenerate data_stream/audit_logs/sample_event.json and docs/README.md via `elastic-package build` so the exported fields table and sample event reflect the current pipeline and ecs.yml.
…:elastic/integrations into feat/28055-backstage-audit-integration
💔 Build Failed
Failed CI StepsHistory
|
|
✅ All changelog entries have the correct PR link. |
TL;DR
Remediation
Investigation detailsRoot CauseThe CODEOWNERS validator resolves owners for each package manifest path and requires one resolved CODEOWNER to exactly equal Relevant validator logic: Evidence
Verification
What is this? | From workflow: PR Buildkite Detective Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not. |
Still WIP, opening as draft to get early feedback
What: Ingest audit logs from backstage into elastic search.
Fixes: https://github.com/elastic/enhancements/issues/28055
Proposed commit message
Checklist
changelog.ymlfile.Author's Checklist
How to test this PR locally
Related issues
Screenshots