Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] Metadata EventId.Name not being set #407

Open
cjlotz opened this issue Jun 22, 2024 · 3 comments
Open

[BUG] Metadata EventId.Name not being set #407

cjlotz opened this issue Jun 22, 2024 · 3 comments
Labels
bug Something isn't working

Comments

@cjlotz
Copy link

cjlotz commented Jun 22, 2024
edited
Loading

ECS integration/library project(s) (e.g. Elastic.CommonSchema.Serilog): Serilog.Sinks.ElasticSearch

ECS schema version (e.g. 1.4.0): 8.11.1

ECS .NET assembly version (e.g. 1.4.2): 8.11.1

Elasticsearch version (if applicable): 8

.NET framework / OS: .NET 8/Windows

Description of the problem, including expected versus actual behavior:

After upgrading from the 8.11.0 to 8.11.1, it seems like the Microsoft.Extensions.Logging.EventId.Name is not being mapped to metadata.EventId.Name anymore

Here's is some sample snippets of an event definition:

public static readonly EventId SystemEventHandled = new(LoggingConstants.RuntimeEvents + 78, nameof(SystemEventHandled));

private static readonly Action<ILogger, string, Exception> _systemEventHandled = LoggerMessage.Define<string>(
      LogLevel.Information, RuntimeEvents.SystemEventHandled, "{EventAction}");

Here is the output of events logged using 8.11.0 as seen in Kibana. Notice that the metadata.EventId.Name is set (4th column)

working-8 11 0

Here is the output of events after updating to 8.11.1. Notice that the metadata.EventId.Name is now not being set

not-working-8 11 1

No code changes where made except for updating the NuGet package reference for Elastic.CommonSchema.Serilog from 8.11.0 to 8.11.1
@cjlotz cjlotz added the bug Something isn't working label Jun 22, 2024
@Mpdreamz
Copy link
Member

These should be mapped to event.id and event.name now. Can you confirm if this is the case?

@cjlotz
Copy link
Author

cjlotz commented Sep 19, 2024

Hello. I'm not observing that behaviour. I also don't see an event.name on the 8.11 ECS schema definition? Do I have to drop and recreate the index?

Here is the output for an example JobDispatching event in 8.11.0

{
  "_index": "onkey-development",
  "_id": "MVQQCpIBtIbVnz-jbLwZ",
  "_version": 1,
  "_score": 0,
  "_source": {
    "@timestamp": "2024-09-19T13:35:00.0102818+02:00",
    "log.level": "Information",
    "message": "Tenants 1",
    "ecs.version": "8.11.0",
    "log": {
      "logger": "Pragma.OnKey.Runtime"
    },
    "labels": {
      "MessageTemplate": "Tenants {CounterOne}",
      "MachineKey": "RD06311-CARELL"
    },
    "agent": {
      "type": "Elastic.CommonSchema.Serilog",
      "version": "8.11.0+20346170742d13e4c2b26ef5c7aaad534970f06b"
    },
    "event": {
      "created": "2024-09-19T13:35:00.0102818+02:00",
      "severity": 2,
      "timezone": "South Africa Standard Time"
    },
    "process": {
      "thread.id": 61
    },
    "service": {
      "name": "Pragma.OnKey.Server",
      "type": "dotnet",
      "version": "2024.14.0"
    },
    "metadata": {
      "CounterOne": 1,
      "EventId": {
        "Id": 160,
        "Name": "JobDispatching"
      }
    }
  },
  "fields": {
    "agent.version.keyword": [
      "8.11.0+20346170742d13e4c2b26ef5c7aaad534970f06b"
    ],
    "log.level.keyword": [
      "Information"
    ],
    "service.type.keyword": [
      "dotnet"
    ],
    "metadata.CounterOne": [
      1
    ],
    "service.name.keyword": [
      "Pragma.OnKey.Server"
    ],
    "log.logger": [
      "Pragma.OnKey.Runtime"
    ],
    "service.type": [
      "dotnet"
    ],
    "agent.type": [
      "Elastic.CommonSchema.Serilog"
    ],
    "labels.MessageTemplate.keyword": [
      "Tenants {CounterOne}"
    ],
    "ecs.version.keyword": [
      "8.11.0"
    ],
    "service.version.keyword": [
      "2024.14.0"
    ],
    "log.level": [
      "Information"
    ],
    "labels.MessageTemplate": [
      "Tenants {CounterOne}"
    ],
    "event.timezone": [
      "South Africa Standard Time"
    ],
    "agent.type.keyword": [
      "Elastic.CommonSchema.Serilog"
    ],
    "metadata.EventId.Name": [
      "JobDispatching"
    ],
    "event.severity": [
      2
    ],
    "labels.MachineKey": [
      "RD06311-CARELL"
    ],
    "service.name": [
      "Pragma.OnKey.Server"
    ],
    "message": [
      "Tenants 1"
    ],
    "metadata.EventId.Id": [
      160
    ],
    "@timestamp": [
      "2024-09-19T11:35:00.010Z"
    ],
    "labels.MachineKey.keyword": [
      "RD06311-CARELL"
    ],
    "metadata.EventId.Name.keyword": [
      "JobDispatching"
    ],
    "service.version": [
      "2024.14.0"
    ],
    "ecs.version": [
      "8.11.0"
    ],
    "event.created": [
      "2024-09-19T11:35:00.010Z"
    ],
    "message.keyword": [
      "Tenants 1"
    ],
    "log.logger.keyword": [
      "Pragma.OnKey.Runtime"
    ],
    "agent.version": [
      "8.11.0+20346170742d13e4c2b26ef5c7aaad534970f06b"
    ],
    "process.thread.id": [
      61
    ],
    "event.timezone.keyword": [
      "South Africa Standard Time"
    ]
  }
}

and here is the output for the JobDispatching event after updating to 8.11.1

{
  "_index": "onkey-development",
  "_id": "cVQKCpIBtIbVnz-jArtZ",
  "_version": 1,
  "_score": 0,
  "_source": {
    "@timestamp": "2024-09-19T13:27:59.9852381+02:00",
    "log.level": "Information",
    "message": "Tenants 1",
    "ecs.version": "8.11.0",
    "log": {
      "logger": "Pragma.OnKey.Runtime"
    },
    "labels": {
      "MessageTemplate": "Tenants {CounterOne}",
      "MachineKey": "RD06311-CARELL"
    },
    "agent": {
      "type": "Elastic.CommonSchema.Serilog",
      "version": "8.11.1+69a082298d546f804e5610128818fbf9154b9958"
    },
    "event": {
      "action": "JobDispatching",
      "code": "160",
      "created": "2024-09-19T13:27:59.9852381+02:00",
      "severity": 2,
      "timezone": "South Africa Standard Time"
    },
    "process": {
      "thread.id": 39
    },
    "service": {
      "name": "Pragma.OnKey.Server",
      "type": "dotnet",
      "version": "2024.14.0"
    },
    "metadata": {
      "CounterOne": 1
    }
  },
  "fields": {
    "agent.version.keyword": [
      "8.11.1+69a082298d546f804e5610128818fbf9154b9958"
    ],
    "log.level.keyword": [
      "Information"
    ],
    "service.type.keyword": [
      "dotnet"
    ],
    "metadata.CounterOne": [
      1
    ],
    "service.name.keyword": [
      "Pragma.OnKey.Server"
    ],
    "event.code.keyword": [
      "160"
    ],
    "log.logger": [
      "Pragma.OnKey.Runtime"
    ],
    "service.type": [
      "dotnet"
    ],
    "agent.type": [
      "Elastic.CommonSchema.Serilog"
    ],
    "labels.MessageTemplate.keyword": [
      "Tenants {CounterOne}"
    ],
    "ecs.version.keyword": [
      "8.11.0"
    ],
    "service.version.keyword": [
      "2024.14.0"
    ],
    "log.level": [
      "Information"
    ],
    "event.action.keyword": [
      "JobDispatching"
    ],
    "labels.MessageTemplate": [
      "Tenants {CounterOne}"
    ],
    "event.timezone": [
      "South Africa Standard Time"
    ],
    "agent.type.keyword": [
      "Elastic.CommonSchema.Serilog"
    ],
    "event.severity": [
      2
    ],
    "labels.MachineKey": [
      "RD06311-CARELL"
    ],
    "service.name": [
      "Pragma.OnKey.Server"
    ],
    "message": [
      "Tenants 1"
    ],
    "event.action": [
      "JobDispatching"
    ],
    "@timestamp": [
      "2024-09-19T11:27:59.985Z"
    ],
    "event.code": [
      "160"
    ],
    "labels.MachineKey.keyword": [
      "RD06311-CARELL"
    ],
    "service.version": [
      "2024.14.0"
    ],
    "ecs.version": [
      "8.11.0"
    ],
    "event.created": [
      "2024-09-19T11:27:59.985Z"
    ],
    "message.keyword": [
      "Tenants 1"
    ],
    "log.logger.keyword": [
      "Pragma.OnKey.Runtime"
    ],
    "agent.version": [
      "8.11.1+69a082298d546f804e5610128818fbf9154b9958"
    ],
    "process.thread.id": [
      39
    ],
    "event.timezone.keyword": [
      "South Africa Standard Time"
    ]
  }
}

@snakefoot
Copy link
Contributor

snakefoot commented Sep 19, 2024
edited
Loading

Believe that EventId.Name is mapped to event.action (Curious why it is a json-array):

    "event.action": [
      "JobDispatching"
    ],

ecs-dotnet/src/Elastic.Extensions.Logging.Console/EcsConsoleFormatter.cs

Line 38 in 9ec7e0c

logEvent.Event = new Event { Action = eventId.Name, Code = eventId.Id.ToString(), Severity = logLevel.ToEcsSeverity() };

ecs-dotnet/src/Elastic.CommonSchema.Serilog/LogEventConverter.cs

Lines 283 to 286 in 9ec7e0c

var nameProp = dv.Properties.FirstOrDefault(p => p.Name == "Name");
var eventAction = nameProp?.Value is ScalarValue n ? n.Value as string : null;
if (eventAction != null)
evnt.Action = eventAction;

ecs-dotnet/src/Elastic.CommonSchema.NLog/EcsLayout.cs

Line 75 in 9ec7e0c

EventAction = "${event-properties:EventName}";

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Mpdreamz @cjlotz @snakefoot