diff --git a/specs/agents/metadata.md b/specs/agents/metadata.md index d5c05307..781b3bd5 100644 --- a/specs/agents/metadata.md +++ b/specs/agents/metadata.md @@ -1,6 +1,6 @@ ## Metadata -As mentioned above, the first "event" in each ND-JSON stream contains metadata to fold into subsequent events. The metadata that agents should collect includes are described in the following sub-sections. +As mentioned above, the first "event" in each ND-JSON stream contains metadata to fold into subsequent events. The metadata that agents should collect is described in the following sub-sections. - service metadata - global labels (requires APM Server 7.2 or greater) @@ -77,6 +77,52 @@ hostname if `configured_hostname` is not provided. Agents that are APM-Server-version-aware, or that are compatible only with versions >= 7.4, should use the new fields wherever applicable. +> **_NOTE:_** We recently established that the various agents handle hostnames differently, with some sending an FQDN (when available) and others (such as the .NET agent) sending a simple hostname. To avoid breaking consumers, agents should continue sending the hostname as they already do. Logic will be introduced to split the hostname from an FQDN, when required, based on the configured feature flag. See below in the "Host domain name" section for further details of the proposed logic. + +#### Host domain name + +ECS 8.7 [updated](https://github.com/elastic/ecs/pull/2122) the definition of `host.name`, recommending using the +lowercase fully qualified domain name (FQDN) for the host name. All Elastic ECS producers should populate the +`host.name` field with the lowercased FQDN from here forward. This change is behind a +[feature flag](https://www.elastic.co/guide/en/fleet/current/elastic-agent-standalone-feature-flags.html#elastic-agent-standalone-feature-flag-settings) +on the Elastic agent to avoid breaking changes for users. Since APM agents do not know about the feature flag, +this decision must happen on the APM server. To support this, APM agents should collect and send the host domain name +(when available) to enable the APM server to construct the FQDN for `host.name` when the feature flag is enabled. + +APM agents should attempt to detect the host domain name, in addition to the hostname. When detected, the lowercase domain name of the +host should be used to set the `system.detected_domain_name` field. This will be combined with the `detected_hostname` +to form the final FQDN. + +When a `system.configured_hostname` is configured, it is the responsibility of the user to determine if +they wish to configure this with the FQDN or just the hostname. + +**Detecting the domain name** + +Agents can detect the domain name using framework APIs, or OS system calls if necessary. +For example, the .NET agent implementation will use the .NET API, +`IPGlobalProperties.GetIPGlobalProperties().DomainName` to access the domain name +for the host. This is provided by Microsoft as a cross-platform API and is +therefore well-tested and supported. + +On Windows, this ultimately calls down into the native `IpHlpApi.GetNetworkParams` +[function](https://learn.microsoft.com/en-us/windows/win32/api/iphlpapi/nf-iphlpapi-getnetworkparams), +collecting the information it needs from the +`FIXED_INFO` [structure](https://learn.microsoft.com/en-us/windows/win32/api/iptypes/ns-iptypes-fixed_info_w2ksp1). + +On Linux-based systems, it uses the `getdomainname()` [Linux system call](https://man7.org/linux/man-pages/man2/getdomainname.2.html), +and falls back to `uname` (sys/utsname.h) for other platforms such as Android. + +On .NET, while likely unnecessary, a further fallback can be introduced by accessing +the static `Environment.UserDomainName` property. On Windows, this will +attempt to invoke the `GetUserNameExW` [function](https://learn.microsoft.com/en-us/windows/win32/api/secext/nf-secext-getusernameexw) +from `secext.h`, from which the username portion is then trimmed. + +When not detected through OS system calls, agents should include a final fallback, +checking the system environment variable `USERDOMAIN`, which on Windows will contain +the name of the Windows domain the user is currently logged on to. + +> **_NOTE:_** As some agents may already send an FQDN for the `detected_hostname` field, logic will be required to extract the required components. When the `detected_hostname` includes the `detected_domain_name`, the `detected_domain_name` string can be removed, along with any remaining separators, to determine the simple `hostname`. If required, the hostname and domain name can later be re-combined by the feature flag configuration. For agents that already send a simple hostname for `detected_hostname`, that hostname will not include the domain name and can safely be combined with the `detected_domain_name` (if present) when the configuration requires an FQDN to be stored for ECS `host.name`. + #### Container/Kubernetes metadata On Linux, the container ID and some of the Kubernetes metadata can be extracted by parsing `/proc/self/cgroup`. For each line in the file, we split the line according to the format "hierarchy-ID:controller-list:cgroup-path", extracting the "cgroup-path" part. We then attempt to extract information according to the following algorithm: