[Keycloak] Prevent data_stream fields from being overwritten by the log#17229
Closed
SimonKoetting wants to merge 2 commits intoelastic:mainfrom
Closed
[Keycloak] Prevent data_stream fields from being overwritten by the log#17229SimonKoetting wants to merge 2 commits intoelastic:mainfrom
SimonKoetting wants to merge 2 commits intoelastic:mainfrom
Conversation
💚 Build Succeeded
|
andrewkroh
added
Integration:keycloak
|
Pinging @elastic/security-service-integrations (Team:Security-Service Integrations) |
chrisberkhout
requested changes
Feb 16, 2026
Contributor
chrisberkhout
left a comment
chrisberkhout
left a comment
There was a problem hiding this comment.
I think the better way to do this is to modify
Side note: if we were going with this PR, it would need the following to make it build with the new version of elastic-package:
diff --git a/packages/keycloak/kibana/dashboard/keycloak-5aecc44a-16d7-47db-805a-245ef0d1bf77.json b/packages/keycloak/kibana/dashboard/keycloak-5aecc44a-16d7-47db-805a-245ef0d1bf77.json
index e54396e0af..90ab7989f8 100644
--- a/packages/keycloak/kibana/dashboard/keycloak-5aecc44a-16d7-47db-805a-245ef0d1bf77.json
+++ b/packages/keycloak/kibana/dashboard/keycloak-5aecc44a-16d7-47db-805a-245ef0d1bf77.json
@@ -908,13 +908,8 @@
"id": "logs-*",
"name": "8eb4b16a-a99f-4e5a-9626-e5cf691e1e66:indexpattern-datasource-layer-885448e8-6f26-4229-893f-b5eca782158b",
"type": "index-pattern"
- },
- {
- "id": "keycloak-security-solution-default",
- "name": "tag-ref-security-solution-default",
- "type": "tag"
}
],
"type": "dashboard",
"typeMigrationVersion": "8.9.0"
-}
\ No newline at end of file
+}
diff --git a/packages/keycloak/kibana/tag/keycloak-security-solution-default.json b/packages/keycloak/kibana/tag/keycloak-security-solution-default.json
deleted file mode 100644
index b909ee237b..0000000000
--- a/packages/keycloak/kibana/tag/keycloak-security-solution-default.json
+++ /dev/null
@@ -1,14 +0,0 @@
-{
- "attributes": {
- "color": "#F583B7",
- "description": "Tag defined in package-spec",
- "name": "Security Solution"
- },
- "coreMigrationVersion": "8.8.0",
- "created_at": "2025-04-28T11:29:23.759Z",
- "id": "keycloak-security-solution-default",
- "managed": false,
- "references": [],
- "type": "tag",
- "typeMigrationVersion": "8.0.0"
-}
\ No newline at end of file
5 tasks
Contributor
|
@SimonKoetting Here's the more general fix I think we should do: #17430 |
Contributor
Author
|
@chrisberkhout all right, fine for me :) I'll go ahead and close this PR. Thanks! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The ECS logs of Keycloak contain the data_stream.type field, which is set to logs.
As the pipeline is parsing the message as JSON and overwriting the root object, this leads to the data_stream object being overwritten in the ingest-pipeline so only data_stream.type is stored in the document in ES while dataset & namespace get lost.
This PR removes the data_stream object out of the json generated from the log before it overwrites the data_stream object already present in the event.