Skip to content

[hashicorp_vault] feat: populate and parse user_agent from audit request User-Agent header#20122

Open
lyoung-confluent wants to merge 2 commits into
elastic:mainfrom
lyoung-confluent:claude/vault-audit-user-agent
Open

[hashicorp_vault] feat: populate and parse user_agent from audit request User-Agent header#20122
lyoung-confluent wants to merge 2 commits into
elastic:mainfrom
lyoung-confluent:claude/vault-audit-user-agent

Conversation

@lyoung-confluent

@lyoung-confluent lyoung-confluent commented Jul 14, 2026

Copy link
Copy Markdown

Proposed commit message

WHAT:
In the hashicorp_vault audit data stream ingest pipeline, add processor that copies the User-Agent header from hashicorp_vault.audit.request.headers field and populates user_agent.original. The header value is unwrapped from its list form and skipped if it starts with hmac-, since Vault can be configured to HMAC header values and the digest is not a meaningful user agent. A subsequent user_agent processor then parses user_agent.original into the standard ECS subfields, matching the pattern used across the rest of the repo. The parsed ECS fields are declared in fields/ecs.yml.

WHY:
Surfacing the request User-Agent as structured ECS user_agent.* fields makes Vault audit events consistent with other integrations and enables filtering/aggregation by client without parsing raw headers.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

How to test this PR locally

cd packages/hashicorp_vault
elastic-package test pipeline --data-streams audit

The test-faked-all-fields pipeline test was extended (no new document added):

  • One existing request event now carries a real User-Agent (Go-http-client/2.0) to exercise parsing into user_agent.*.
  • One existing response event carries an HMAC'd User-Agent to verify the skip path leaves user_agent unset.

Verified locally with elastic-package test pipeline (all pass) and --generate (no diff).

Related issues

None

…er-Agent header

WHAT: In the hashicorp_vault `audit` data stream ingest pipeline, add a
painless script that reads the User-Agent header from
`hashicorp_vault.audit.request.headers.user-agent` (a flattened field whose
values Vault emits as arrays) and populates `user_agent.original`. The header
value is unwrapped from its list form (falling back to a scalar) and skipped
when it starts with `hmac-`, since Vault HMACs header values when configured to
do so and the HMAC digest is not a meaningful user agent. A subsequent
`user_agent` processor parses `user_agent.original` into the standard ECS
subfields, matching the pattern used across the rest of the repo. The parsed
ECS fields are declared in `fields/ecs.yml`.

WHY: Surfacing the request User-Agent as structured ECS `user_agent.*` fields
makes Vault audit events consistent with other integrations and enables
filtering/aggregation by client without parsing raw headers.

The `test-faked-all-fields` pipeline test is extended (no new document added):
one existing request event now carries a real User-Agent to exercise parsing,
and one existing response event carries an HMAC'd User-Agent to verify the skip
path leaves `user_agent` unset. Verified locally with `elastic-package test
pipeline` (all pass) and `--generate` (no diff).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@elastic-vault-github-plugin-prod

Copy link
Copy Markdown
Contributor

Reviewers

Buildkite won't run for external contributors automatically; you need to add a comment:

  • /test : will kick off a build in Buildkite.

NOTE: https://github.com/elastic/integrations/blob/main/.buildkite/pull-requests.json contains all those details.

@lyoung-confluent lyoung-confluent changed the title [hashicorp_vault] Populate and parse user_agent from audit request User-Agent header [hashicorp_vault] feat: populate and parse user_agent from audit request User-Agent header Jul 14, 2026
@lyoung-confluent
lyoung-confluent marked this pull request as ready for review July 14, 2026 23:39
@lyoung-confluent
lyoung-confluent requested a review from a team as a code owner July 14, 2026 23:39
@lyoung-confluent

Copy link
Copy Markdown
Author

It's worth noting that by default Vault does NOT log User-Agent headers in audit logs, it has to be explicitly enabled via the /sys/config/auditing API (or vault_audit_request_header in Terraform). However, it's a somewhat common configuration in the deployed Vault instances.

Replace the painless script that populated `user_agent.original` with a `set`
processor using `copy_from` on the first User-Agent header element
(`hashicorp_vault.audit.request.headers.user-agent.0`) and `ignore_empty_value`.
The HMAC-skip condition (Vault can be configured to HMAC header values, and the
digest is not a meaningful user agent) moves into the processor's `if`. This is
more declarative and idiomatic than the script while producing identical output;
verified with `elastic-package test pipeline` (all pass).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@andrewkroh andrewkroh added Integration:hashicorp_vault Hashicorp Vault Team:Integration-Experience Security Integrations Integration Experience [elastic/integration-experience] labels Jul 15, 2026
@infra-vault-gh-plugin-prod

Copy link
Copy Markdown

Pinging @elastic/integration-experience (Team:Integration-Experience)

@vera-review-bot

Copy link
Copy Markdown

No issues across the latest commits b043f55.

Since this is a community PR, a new commit triggers another review — at most once every 30 minutes. I skip the PR while it's approved or has merge conflicts.

🤖 AI-Generated Review | Vera Review Bot | 📚 Knowledge base: integration-skills

⚠️ Automated review — verify suggestions before applying.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Integration:hashicorp_vault Hashicorp Vault Team:Integration-Experience Security Integrations Integration Experience [elastic/integration-experience]

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants