Feat: ECS compatibility (added headers_target and attachments_target) #55
Conversation
due `lowercase_headers => true` default
kares
changed the title
lib/logstash/inputs/imap.rb
Outdated
| next if name == "Date" | ||
|
|
||
| case (field = event.get(name)) | ||
| targeted_name = "#{@headers_target}[#{name}]" |
There was a problem hiding this comment.
Example: pre-normalizing the @headers_target isn't strictly necessary, as the syntax allows for Composite References
| targeted_name = "#{@headers_target}[#{name}]" | |
| targeted_name = "[#{@headers_target}][#{name}]" |
There was a problem hiding this comment.
thanks, would still rather keep the 'canonical' form here - subjectively find it less confusing than the composite.
we end up using what the user set with the exception of the bare foo form being wrapped ([foo]), the normalization code is similar to what we have in the field reference validator.
it's also clearer this way to handle the case when headers_target is nil -> [name]
There was a problem hiding this comment.
this brings up a good question though, when user explicitly sets a headers_target => ''
think we should treat it as a way to disabled the target -> user does not want headers (already present in #56 but I think it makes sense to ship here) instead of treating it as if headers_target was not set and setting stuff at top level.
or does this sound confusing?
(would give us a way for users to opt-out of attachments_target once we ship email.* field support in the future)
There was a problem hiding this comment.
I agree that setting headers_target => '' should read as an explicit instruction to not place the headers anywhere, and distinctly different than not supplying a headers_target instruction. We will need to call this out in the docs, and will need to add specs to ensure that it passes validation.
When the email RFC gets finalized, we will need a separate way to opt into the RFC format, and when this future mode is active we can also inject better defaults for related options.
There was a problem hiding this comment.
I agree that setting
headers_target => ''should read as an explicit instruction to not place the headers anywhere, and distinctly different than not supplying a headers_target instruction. We will need to call this out in the docs, and will need to add specs to ensure that it passes validation.
✔️ (pending 6.x compatibility headers_target => '' logstash-plugins/logstash-mixin-validator_support#2)
there's one extra change since last review - not skipping the date header (despite the header being duplicate information as it's also used for event.timestamp = LogStash::Timestamp.new(mail.date.to_time)) - initially considered it a bug but the date header was present with the plugins defaults due:
lowercase_headersbeing on by default- the plugin was checking the header name to ==
"Date"after the lower-case operation
so while it looks like a bug the "fix" (to properly skip the header regardless or lowercase_headers setting) might break pipelines thus an alternate resolution to never skip the date headers seems more appropriate.
| @@ -221,7 +266,6 @@ def parse_mail(mail) | |||
|
|
|||
| def stop | |||
| Stud.stop!(@run_thread) | |||
| $stdin.close | |||
otherwise a potential nil.to_s would never be nil
despite this being a duplicate information
|
🔴 CI due incompatibility with |
|
LGTM pending resolution of logstash-plugins/logstash-mixin-validator_support#2 |
When ECS compatibility is disabled, mail headers and attachments are targeted at the root level.
When targeting an ECS versionn, headers and attachments target
@metadatasub-fields unless configured otherwise in orderto avoid conflict with ECS fields.
This is achieved by having 2 new options:
headers_target(for header names e.g."From","Subject","X-Spam-Score")attachments_targetNOTE: headers are lower-cased by default, this settings stays the same in ECS mode.
Further, decided NOT to
tr('-', '_')as an attempt to under_score names e.g."X-Spam-Score"->"x_spam_score", this would likely need another configuration option to maintain backwards compatibility (things could get a bit out of hand with multiple things changing due ECS mode).There's an RFC for providing
email.*fields in ECS, this isn't part of the PR, however there's a draft waiting for the RFC to become stable or at least the stage 2 RFC to get pushed (e.g. as these changes were developed the RFC changed the mapping in a way that would have created ECS conflicts).Also includes some minor fixes that came along the way, notably the
Dateheader is no longer skipped as that only worked whenlowercase_headers => falsewas specified.