Skip to content

feat: [AWS] OTel to ECS converter pipelines #15570

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 14 commits into
base: main
Choose a base branch
from
Open

feat: [AWS] OTel to ECS converter pipelines #15570

wants to merge 14 commits into from
+549 −13

Conversation

Kavindu-Dodan
Copy link
Contributor

@Kavindu-Dodan Kavindu-Dodan commented Oct 6, 2025
edited
Loading

Proposed commit message

This PR introduces OTel ECS converter integration for AWS signals.

The following table explains the supported signal type, source data set data must be ingested and the target data set converted data ends up,

Data source OTel data set (source) ECS data set (destination)
AWS ELB logs aws.elbaccess.otel aws.elb_logs
VPC flow logs aws.vpcflow.otel aws.vpcflow
CloudTrail logs aws.cloudtrail.otel aws.cloudtrail

The destination data set matches AWS Integration 1 and supports dashboard assets of the signal.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

How to test this PR locally

  • Build and install the OTel ECS converter integration
  • Install AWS integration assets only to obtain necessary assets like dashboards and pipelines
  • Ingest OTel native data from one of the supported sources (you can use EDOT AWS 2 for this)
  • Validate ingested data in destination data set & check ECS schema based dashboards

Footnotes

  1. https://www.elastic.co/docs/reference/integrations/aws

  2. https://www.elastic.co/docs/reference/opentelemetry/edot-cloud-forwarder/aws

@andrewkroh andrewkroh added New Integration Issue or pull request for creating a new integration package. documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. Integration:aws AWS labels Oct 6, 2025
@Kavindu-Dodan Kavindu-Dodan force-pushed the feat/otel-convertor-pipelines branch 2 times, most recently from c94876a to 2abf6cf Compare October 8, 2025 14:35
@elastic-vault-github-plugin-prod
Copy link

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

@Kavindu-Dodan Kavindu-Dodan force-pushed the feat/otel-convertor-pipelines branch 3 times, most recently from a72106b to 6ede16d Compare October 14, 2025 17:38
@Kavindu-Dodan Kavindu-Dodan added the enhancement New feature or request label Oct 14, 2025
@Kavindu-Dodan Kavindu-Dodan force-pushed the feat/otel-convertor-pipelines branch from 6ede16d to a67d742 Compare October 14, 2025 20:22
@Kavindu-Dodan Kavindu-Dodan changed the title [WIP] feat: OTel to ECS convertor pipelines [WIP] feat: [AWS] OTel to ECS convertor pipelines Oct 14, 2025
@Kavindu-Dodan Kavindu-Dodan changed the title [WIP] feat: [AWS] OTel to ECS convertor pipelines [WIP] feat: [AWS] OTel to ECS converter pipelines Oct 14, 2025
@Kavindu-Dodan Kavindu-Dodan force-pushed the feat/otel-convertor-pipelines branch 2 times, most recently from e912453 to 2c5186a Compare October 16, 2025 18:07
@Kavindu-Dodan Kavindu-Dodan changed the title [WIP] feat: [AWS] OTel to ECS converter pipelines feat: [AWS] OTel to ECS converter pipelines Oct 16, 2025
@Kavindu-Dodan Kavindu-Dodan force-pushed the feat/otel-convertor-pipelines branch from 5ad03c2 to 1046b11 Compare October 16, 2025 21:39
@Kavindu-Dodan Kavindu-Dodan marked this pull request as ready for review October 17, 2025 20:53
@Kavindu-Dodan Kavindu-Dodan requested review from a team as code owners October 17, 2025 20:53
@Kavindu-Dodan Kavindu-Dodan force-pushed the feat/otel-convertor-pipelines branch from 1046b11 to 4bd7b85 Compare October 17, 2025 20:55
vigneshshanmugam
vigneshshanmugam reviewed Oct 17, 2025
View reviewed changes
packages/otel_ecs_converter/manifest.yml
owner:
github: elastic/obs-ds-hosted-services
type: elastic
icons:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

System integration icon might fit better for this case. @mlunadia WDYT? Do we have anything with System Integration + OTel

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Or maybe the elastic icon+OTel?

Copy link
Contributor Author

@Kavindu-Dodan Kavindu-Dodan Oct 17, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks both for suggestion, just for context, I have used OpenTelemetry and ECS icon here. ECS icon was taken from standard Elastic Icon assets (see https://brand.elastic.co/302f66895/p/031452-icons/b/90604e and check ECS)

kaiyan-sheng
kaiyan-sheng reviewed Oct 17, 2025
View reviewed changes
Copy link
Contributor

@kaiyan-sheng kaiyan-sheng left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you add sample documents for each data stream to test the ingest pipelines? It should be under for example aws_cloudtrail/_dev/test/pipeline/test-aws-cloudtrail.json.

Also just curious why aws_elblogs has suffix logs but the other two dont? 😬

@Kavindu-Dodan
Copy link
Contributor Author

Could you add sample documents for each data stream to test the ingest pipelines? It should be under for example aws_cloudtrail/_dev/test/pipeline/test-aws-cloudtrail.json.

Also just curious why aws_elblogs has suffix logs but the other two dont? 😬

Thanks, good suggestion on sample documents. I will add them with the next PR.

Regarding naming, thi s matches existing AWS integration assets. ELB has both logs and metrics support. But for VPC and CloudTrail, there's only logs.

efd6
efd6 reviewed Oct 19, 2025
View reviewed changes
...ages/otel_ecs_converter/data_stream/aws_cloudtrail/elasticsearch/ingest_pipeline/default.yml Outdated
Comment on lines 134 to 137
on_failure:
- set:
field: error.message
value: '{{ _ingest.on_failure_message }}'
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
on_failure:
- set:
field: error.message
value: '{{ _ingest.on_failure_message }}'
- set:
field: event.kind
value: pipeline_error
tag: set_pipeline_error_into_event_kind
if: ctx.error?.message != null
- append:
field: tags
value: preserve_original_event
allow_duplicates: false
if: ctx.error?.message != null
on_failure:
- append:
field: error.message
value: >-
Processor '{{{ _ingest.on_failure_processor_type }}}'
{{{#_ingest.on_failure_processor_tag}}}with tag '{{{ _ingest.on_failure_processor_tag }}}'
{{{/_ingest.on_failure_processor_tag}}}failed with message '{{{ _ingest.on_failure_message }}}'
- set:
field: event.kind
tag: set_pipeline_error_to_event_kind
value: pipeline_error
- append:
field: tags
value: preserve_original_event
allow_duplicates: false

Copy link
Contributor Author

@Kavindu-Dodan Kavindu-Dodan Oct 20, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a nice suggestion. But I adapted it with some changes as we do not have an original event with OTel. When record reach the pipeline, we already have processed attributes and no original event.

See 1ce7062 and let me know we can agree on this :)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@efd6 let me know your opinion on this :)

@andrewkroh andrewkroh added Team:Obs-InfraObs Observability Infrastructure Monitoring team [elastic/obs-infraobs-integrations] Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] labels Oct 20, 2025
@elasticmachine
Copy link

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

@Kavindu-Dodan Kavindu-Dodan force-pushed the feat/otel-convertor-pipelines branch from bd5e27b to 1ce7062 Compare October 20, 2025 18:10
@Kavindu-Dodan Kavindu-Dodan requested a review from efd6 October 21, 2025 14:10
Kavindu-Dodan and others added 14 commits October 21, 2025 07:10
@Kavindu-Dodan
chore: otel to ecf convertor pipeline
0640e2b 
Signed-off-by: Kavindu Dodanduwa <[email protected]>

# Conflicts:
#	packages/aws/changelog.yml
#	packages/aws/manifest.yml
@Kavindu-Dodan
feat: ELB routing and pipeline
f98731a 
Signed-off-by: Kavindu Dodanduwa <[email protected]>
@Kavindu-Dodan
chore: add code owners
6670410 
Signed-off-by: Kavindu Dodanduwa <[email protected]>
@Kavindu-Dodan
feat: add CloudTrail logs
699995a 
Signed-off-by: Kavindu Dodanduwa <[email protected]>
@Kavindu-Dodan
chore: rename and enhance
81d926c 
Signed-off-by: Kavindu Dodanduwa <[email protected]>
@Kavindu-Dodan
chore: add todo with reference to OTel issue
e50fd04 
Signed-off-by: Kavindu Dodanduwa <[email protected]>
@Kavindu-Dodan
set aws prefix for cloudtrail folder
1a5136e 
Signed-off-by: Kavindu Dodanduwa <[email protected]>
@Kavindu-Dodan
use pre_extracted field to check pre-filled status
8076fd2 
Signed-off-by: Kavindu Dodanduwa <[email protected]>
@Kavindu-Dodan @kaiyan-sheng
Update packages/aws/changelog.yml
2c57954 
Co-authored-by: kaiyan-sheng <[email protected]>
@Kavindu-Dodan @kaiyan-sheng
Update packages/otel_ecs_converter/_dev/build/docs/README.md
2a8767e 
Co-authored-by: kaiyan-sheng <[email protected]>
@Kavindu-Dodan @kaiyan-sheng
Update packages/otel_ecs_converter/_dev/build/docs/README.md
be2f6c4 
Co-authored-by: kaiyan-sheng <[email protected]>
@Kavindu-Dodan @kaiyan-sheng
Update packages/otel_ecs_converter/changelog.yml
a64be58 
Co-authored-by: kaiyan-sheng <[email protected]>
@Kavindu-Dodan
document generate
66b5746 
Signed-off-by: Kavindu Dodanduwa <[email protected]>
@Kavindu-Dodan
review changes
70ba55f 
Signed-off-by: Kavindu Dodanduwa <[email protected]>
@Kavindu-Dodan Kavindu-Dodan force-pushed the feat/otel-convertor-pipelines branch from 1ce7062 to 70ba55f Compare October 21, 2025 14:10
@elasticmachine
Copy link

💚 Build Succeeded

History

@Kavindu-Dodan
Copy link
Contributor Author

@kaiyan-sheng I looked into adding integration tests, but that requires me to define fields.yml matching all derived fields of the target target data sets. Given this is a converter from OTel to ECS, I do not we should define those target fields inside this component. So I will at least skip the tests in the initial tech preview version release.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@efd6 efd6 Awaiting requested review from efd6

@vigneshshanmugam vigneshshanmugam Awaiting requested review from vigneshshanmugam

@kaiyan-sheng kaiyan-sheng Awaiting requested review from kaiyan-sheng

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. enhancement New feature or request Integration:aws AWS New Integration Issue or pull request for creating a new integration package. Team:Obs-InfraObs Observability Infrastructure Monitoring team [elastic/obs-infraobs-integrations] Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations]

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@Kavindu-Dodan @elasticmachine @vigneshshanmugam @kaiyan-sheng @efd6 @andrewkroh