Skip to content

[hashicorp_vault] feat: populate and parse user_agent from audit request User-Agent header#20122

Open
lyoung-confluent wants to merge 2 commits into
elastic:mainfrom
lyoung-confluent:claude/vault-audit-user-agent
Open

[hashicorp_vault] feat: populate and parse user_agent from audit request User-Agent header#20122
lyoung-confluent wants to merge 2 commits into
elastic:mainfrom
lyoung-confluent:claude/vault-audit-user-agent

Conversation

@lyoung-confluent

@lyoung-confluent lyoung-confluent commented Jul 14, 2026

Copy link
Copy Markdown

Proposed commit message

WHAT:
In the hashicorp_vault audit data stream ingest pipeline, add a painless script that reads the User-Agent header from hashicorp_vault.audit.request.headers field and populates user_agent.original. The header value is unwrapped from its list form and skipped when it starts with hmac-, since Vault can be configured to HMAC header values and the digest is not a meaningful user agent. A subsequent user_agent processor then parses user_agent.original into the standard ECS subfields, matching the pattern used across the rest of the repo. The parsed ECS fields are declared in fields/ecs.yml.

WHY:
Surfacing the request User-Agent as structured ECS user_agent.* fields makes Vault audit events consistent with other integrations and enables filtering/aggregation by client without parsing raw headers.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

How to test this PR locally

cd packages/hashicorp_vault
elastic-package test pipeline --data-streams audit

The test-faked-all-fields pipeline test was extended (no new document added):

  • One existing request event now carries a real User-Agent (Go-http-client/2.0) to exercise parsing into user_agent.*.
  • One existing response event carries an HMAC'd User-Agent to verify the skip path leaves user_agent unset.

Verified locally with elastic-package test pipeline (all pass) and --generate (no diff).

Related issues

None

…er-Agent header

WHAT: In the hashicorp_vault `audit` data stream ingest pipeline, add a
painless script that reads the User-Agent header from
`hashicorp_vault.audit.request.headers.user-agent` (a flattened field whose
values Vault emits as arrays) and populates `user_agent.original`. The header
value is unwrapped from its list form (falling back to a scalar) and skipped
when it starts with `hmac-`, since Vault HMACs header values when configured to
do so and the HMAC digest is not a meaningful user agent. A subsequent
`user_agent` processor parses `user_agent.original` into the standard ECS
subfields, matching the pattern used across the rest of the repo. The parsed
ECS fields are declared in `fields/ecs.yml`.

WHY: Surfacing the request User-Agent as structured ECS `user_agent.*` fields
makes Vault audit events consistent with other integrations and enables
filtering/aggregation by client without parsing raw headers.

The `test-faked-all-fields` pipeline test is extended (no new document added):
one existing request event now carries a real User-Agent to exercise parsing,
and one existing response event carries an HMAC'd User-Agent to verify the skip
path leaves `user_agent` unset. Verified locally with `elastic-package test
pipeline` (all pass) and `--generate` (no diff).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@elastic-vault-github-plugin-prod

Copy link
Copy Markdown
Contributor

Reviewers

Buildkite won't run for external contributors automatically; you need to add a comment:

  • /test : will kick off a build in Buildkite.

NOTE: https://github.com/elastic/integrations/blob/main/.buildkite/pull-requests.json contains all those details.

@lyoung-confluent lyoung-confluent changed the title [hashicorp_vault] Populate and parse user_agent from audit request User-Agent header [hashicorp_vault] feat: populate and parse user_agent from audit request User-Agent header Jul 14, 2026
@lyoung-confluent lyoung-confluent marked this pull request as ready for review July 14, 2026 23:39
@lyoung-confluent lyoung-confluent requested a review from a team as a code owner July 14, 2026 23:39
@lyoung-confluent

Copy link
Copy Markdown
Author

It's worth noting that by default Vault does NOT log User-Agent headers in audit logs, it has to be explicitly enabled via the /sys/config/auditing API (or vault_audit_request_header in Terraform). However, it's a somewhat common configuration in the deployed Vault instances.

Replace the painless script that populated `user_agent.original` with a `set`
processor using `copy_from` on the first User-Agent header element
(`hashicorp_vault.audit.request.headers.user-agent.0`) and `ignore_empty_value`.
The HMAC-skip condition (Vault can be configured to HMAC header values, and the
digest is not a meaningful user agent) moves into the processor's `if`. This is
more declarative and idiomatic than the script while producing identical output;
verified with `elastic-package test pipeline` (all pass).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant