Log raw events and errors containing events to a separate file

[belimawr]

Proposed commit message

This commit introduces a new logger that can be configured through logging.sensitive that can be used to log any message that contains the whole event or could contain any sensitive data

At the moment it is used by multiple outputs to log indexing errors containing the whole event and errors returned by Elasticsearch that can potentially contain the whole event.

Open questions

Expected behaviour in a container environment?

When Beats is running in a Container environment we set the log output to stdout (see the example in our documentation, however the "sensitive logger" will always log to a file in the default log file.

Decision:
In all cases add a new field log.type: sensitive for the sensitive logger and allow it to also log to stderr as well as disabling the logger.

The docker command, note the -e CLI flag:

docker run -d \
  --name=filebeat \
  --user=root \
  --volume="$(pwd)/filebeat.docker.yml:/usr/share/filebeat/filebeat.yml:ro" \
  --volume="/var/lib/docker/containers:/var/lib/docker/containers:ro" \
  --volume="/var/run/docker.sock:/var/run/docker.sock:ro" \
  --volume="registry:/usr/share/filebeat/data:rw" \
  docker.elastic.co/beats/filebeat:8.11.4 filebeat -e --strict.perms=false \
  -E output.elasticsearch.hosts=["elasticsearch:9200"]

When running the command above, the events log file is created inside the container in /usr/share/filebeat/logs/

To have the sensitive logger logging to stderr, add the following CLI flag to Filebeat: -E logging.sensitive.to_stderr=true -E logging.sensitive.to_files=false

Generated log file example:

root@76af12033efd: /usr/share/filebeatroot@76af12033efd:/usr/share/filebeat# ls -la /usr/share/filebeat/logs/
total 16
drwxrwxr-x 1 root root 4096 Jan 17 08:05 .
drwxr-xr-x 1 root root 4096 Jan 17 07:39 ..
-rw------- 1 root root 2757 Jan 17 08:05 filebeat-sensitive-data-20240117.ndjson
root@76af12033efd: /usr/share/filebeatroot@76af12033efd:/usr/share/filebeat# 

Expected behaviour when running under Elastic-Agent?

The same applies when running under Elastic-Agent: the Elastic-Agent runs Beats passing the the CLI flag -E logging.sensitive.to_stderr=true -E logging.sensitive.to_files=false, collects the stderr and stdout from the Beat, wraps every line in a JSON containing some metadata and logs it to the correct log file. The concept of a sensitive log file will be added to the Elastic-Agent.

Checklist

• My code follows the style guidelines of this project
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• I have made corresponding change to the default configuration files
• I have added tests that prove my fix is effective or that my feature works
• I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Author's Checklist

• Update go.mod after [logp] Add typed loggers allowing log entries to go to different outputs elastic-agent-libs#171 is merged
• Create PR on Elastic-Agent to handle the sensitive logs
• Decide what to do when running in a container environment
• Decide what to do for Elastic-Agent
• Test if the Elastic-Agent diagnostics can collect the new log file(s)

How to test this PR locally

Standalone Filebeat

Start Filebeat with the following configuration

filebeat.inputs:
  - type: filestream
    id: filestream-input-id
    enabled: true
    parsers:
      - ndjson:
          target: ""
          overwrite_keys: true
          expand_keys: true
          add_error_key: true
          ignore_decoding_error: false
    paths:
      - /tmp/flog.log

output:
  elasticsearch:
    hosts:
      - localhost:9200
    protocol: https
    username: elastic
    password: changeme
    allow_older_versions: true
    ssl.verification_mode: none

logging:
  level: debug
  events:
    files:
      name: filebeat-events-data # that's the default, change it if you want another name.

Create the log file /tmp/flog.log with the following content:

{"message":"foo bar","int":10,"string":"str"}
{"message":"another message","int":20,"string":"str2"}
{"message":"index failure","int":"not a number","string":10}
{"message":"second index failure","int":"not a number","string":10}
A broken JSON

Raw events should be logged to a different log file, in the same folder as the normal logs, the filename matches the glob filebeat-events-data*.ndjson.

By default the logs go in a logs folder that's created in the same folder you're running Filebeat from, here are the files created when running this branch:

% ls -la logs 
-rw------- 1 tiago tiago  65K Jan 16 16:24 filebeat-20240116.ndjson
-rw------- 1 tiago tiago 2.8K Jan 16 16:22 filebeat-sensitive-data-20240116.ndjson

If you need to run the test again, either add more data to /tmp/flog.log or remove the data folder Filebeat created at star up, this will make Filebeat re-ingest the file.

Under Elastic-Agent

1. Package the Elastic-Agent from Use a different log file for sensitive data elastic-agent#4129
2. Replace the Filebeat binary by the binary built from this branch/PR
3. Create /tmp/flog.log with a few lines, the data is not important
4. Start the Elastic-Agent with the following configuration (adjust if needed)

outputs:
  default:
    type: elasticsearch
    hosts:
        - http://localhost:9200
    username: elastic
    password: changeme
    preset: balanced

inputs:
  - type: filestream
    id: your-input-id
    streams:
      - id: your-filestream-stream-id
        data_stream:
          dataset: generic
        paths:
          - /tmp/flog.log

agent.monitoring:
  enabled: false
  logs: false
  metrics: false
  pprof.enabled: false
  use_output: default
  http:
      enabled: false

agent.logging.to_stderr: true
agent.logging.metrics.enabled: false

To create ingest failures the easiest way is to close the write index from the datastream, to do that go to Kibana -> Dev Tools

To get the backing index for a datastream:

GET /_data_stream/logs-generic-default

This will return something like:

{
  "data_streams": [
    {
      "name": "logs-generic-default",
      "timestamp_field": {
        "name": "@timestamp"
      },
      "indices": [
        {
          "index_name": ".ds-logs-generic-default-2024.01.22-000001",
          "index_uuid": "0pq-XIYfSjuUQhTxlJKJjQ",
          "prefer_ilm": true,
          "ilm_policy": "logs",
          "managed_by": "Index Lifecycle Management"
        }
      ]
    }
  ]
}

Take note of the index_name .ds-logs-generic-default-2024.01.22-000001.
Close this index:

POST .ds-logs-generic-default-2024.01.22-000001/_close

5. Add more data to the file /tmp/flog.log
   You should see in the logs something like this:

{
  "log.level": "warn",
  "@timestamp": "2024-01-24T11:22:43.762+0100",
  "message": "Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Date(2024, time.January, 24, 11, 22, 32, 671147360, time.Local), Meta:{\"input_id\":\"your-input-id\",\"raw_index\":\"logs-generic-default\",\"stream_id\":\"your-filestream-stream-id\"}, Fields:{\"agent\":{\"ephemeral_id\":\"7ec26fa3-aa6d-4dc9-b49c-4ed359243af7\",\"id\":\"b3f86956-66e9-4b3e-a477-8f21f2778d2b\",\"name\":\"millennium-falcon\",\"type\":\"filebeat\",\"version\":\"8.13.0\"},\"data_stream\":{\"dataset\":\"generic\",\"namespace\":\"default\",\"type\":\"logs\"},\"ecs\":{\"version\":\"8.0.0\"},\"elastic_agent\":{\"id\":\"b3f86956-66e9-4b3e-a477-8f21f2778d2b\",\"snapshot\":true,\"version\":\"8.13.0\"},\"event\":{\"dataset\":\"generic\"},\"host\":{\"architecture\":\"x86_64\",\"containerized\":false,\"hostname\":\"millennium-falcon\",\"id\":\"851f339d77174301b29e417ecb2ec6a8\",\"ip\":[\"42.42.42.42\",\"42.42.42.42\",\"8652:d3d0:3e34:49e8:f7f0:42dd:75e8:7807\",\"42.42.42.42\",\"8652:d3d0:3e34:49e8:f7f0:42dd:75e8:7807\",\"8652:d3d0:3e34:49e8:f7f0:42dd:75e8:7807\",\"42.42.42.42\",\"8652:d3d0:3e34:49e8:f7f0:42dd:75e8:7807\",\"42.42.42.42\",\"mac\":[\"57-A3-02-AD-65-79\"],\"name\":\"millennium-falcon\",\"os\":{\"build\":\"rolling\",\"family\":\"arch\",\"kernel\":\"6.7.0-arch3-1\",\"name\":\"Arch Linux\",\"platform\":\"arch\",\"type\":\"linux\",\"version\":\"\"}},\"input\":{\"type\":\"filestream\"},\"log\":{\"file\":{\"device_id\":\"34\",\"inode\":\"155800\",\"path\":\"/tmp/flog.log\"},\"offset\":446},\"message\":\"123.124.200.160 - - [24/Jan/2024:11:12:39 +0100] \\\"DELETE /unleash/infrastructures HTTP/1.1\\\" 400 16825\"}, Private:(*input_logfile.updateOp)(0xc001477c50), TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:mapstr.M(nil)}} (status=400): {\"type\":\"index_closed_exception\",\"reason\":\"closed\",\"index_uuid\":\"0pq-XIYfSjuUQhTxlJKJjQ\",\"index\":\".ds-logs-generic-default-2024.01.22-000001\"}, dropping event!",
  "component": {
    "binary": "filebeat",
    "dataset": "elastic_agent.filebeat",
    "id": "filestream-default",
    "type": "filestream"
  },
  "log": {
    "source": "filestream-default"
  },
  "log.logger": "elasticsearch",
  "log.origin": {
    "file.line": 461,
    "file.name": "elasticsearch/client.go",
    "function": "github.com/elastic/beats/v7/libbeat/outputs/elasticsearch.(*Client).bulkCollectPublishFails"
  },
  "log.type": "sensitive",
  "ecs.version": "1.6.0"
}

## Related issues
## Use cases
## Screenshots
## Logs

[mergify]

This pull request does not have a backport label.
If this is a bug or security fix, could you label this PR @belimawr? 🙏.
For such, you'll need to label your PR with:

• The upcoming major version of the Elastic Stack
• The upcoming minor version of the Elastic Stack (if you're not pushing a breaking change)

To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

• backport-v8./d.0 is the label to automatically backport to the 8./d branch. /d is the digit

[belimawr]

CI is failing because elastic/elastic-agent-libs#169 has not been merged yet.

[elasticmachine]

❕ Build Aborted

There is a new build on-going so the previous on-going builds have been aborted.

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Start Time: 2023-12-20T15:45:54.571+0000

• Duration: 12 min 40 sec

Test stats 🧪

Test	Results
Failed	0
Passed	3
Skipped	0
Total	3

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

• /test : Re-trigger the build.

• /package : Generate the packages and run the E2E tests.

• /beats-tester : Run the installation tests with beats-tester.

• run elasticsearch-ci/docs : Re-trigger the docs validation. (use unformatted text in the comment!)

[elasticmachine]

💔 Build Failed

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Start Time: 2023-12-20T15:52:51.576+0000

• Duration: 128 min 20 sec

Test stats 🧪

Test	Results
Failed	0
Passed	28464
Skipped	1994
Total	30458

Steps errors

Expand to view the steps failures

libbeat-unitTest - mage build unitTest

• Took 12 min 53 sec . View more details here
• Description: mage build unitTest

libbeat-unitTest - mage build unitTest

• Took 9 min 20 sec . View more details here
• Description: mage build unitTest

libbeat-unitTest - mage build unitTest

• Took 9 min 20 sec . View more details here
• Description: mage build unitTest

libbeat-goIntegTest - mage goIntegTest

• Took 15 min 31 sec . View more details here
• Description: mage goIntegTest

libbeat-goIntegTest - mage goIntegTest

• Took 11 min 51 sec . View more details here
• Description: mage goIntegTest

libbeat-goIntegTest - mage goIntegTest

• Took 11 min 53 sec . View more details here
• Description: mage goIntegTest

x-pack/dockerlogbeat-unitTest - mage build unitTest

• Took 2 min 49 sec . View more details here
• Description: mage build unitTest

x-pack/dockerlogbeat-unitTest - mage build unitTest

• Took 1 min 50 sec . View more details here
• Description: mage build unitTest

x-pack/dockerlogbeat-unitTest - mage build unitTest

• Took 1 min 50 sec . View more details here
• Description: mage build unitTest

Error signal

• Took 0 min 0 sec . View more details here
• Description: Error 'hudson.AbortException: script returned exit code 1'

💚 Flaky test report

Tests succeeded.

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

• /test : Re-trigger the build.

• /package : Generate the packages and run the E2E tests.

• /beats-tester : Run the installation tests with beats-tester.

• run elasticsearch-ci/docs : Re-trigger the docs validation. (use unformatted text in the comment!)

[elasticmachine]

💔 Build Failed

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Start Time: 2023-12-21T08:05:10.271+0000

• Duration: 130 min 12 sec

Test stats 🧪

Test	Results
Failed	0
Passed	28596
Skipped	1997
Total	30593

Steps errors

Expand to view the steps failures

libbeat-unitTest - mage build unitTest

• Took 12 min 50 sec . View more details here
• Description: mage build unitTest

libbeat-unitTest - mage build unitTest

• Took 9 min 20 sec . View more details here
• Description: mage build unitTest

libbeat-unitTest - mage build unitTest

• Took 9 min 18 sec . View more details here
• Description: mage build unitTest

libbeat-goIntegTest - mage goIntegTest

• Took 17 min 51 sec . View more details here
• Description: mage goIntegTest

libbeat-goIntegTest - mage goIntegTest

• Took 11 min 2 sec . View more details here
• Description: mage goIntegTest

libbeat-goIntegTest - mage goIntegTest

• Took 11 min 4 sec . View more details here
• Description: mage goIntegTest

x-pack/dockerlogbeat-unitTest - mage build unitTest

• Took 2 min 50 sec . View more details here
• Description: mage build unitTest

x-pack/dockerlogbeat-unitTest - mage build unitTest

• Took 1 min 0 sec . View more details here
• Description: mage build unitTest

x-pack/dockerlogbeat-unitTest - mage build unitTest

• Took 1 min 0 sec . View more details here
• Description: mage build unitTest

Error signal

• Took 0 min 0 sec . View more details here
• Description: Error 'hudson.AbortException: script returned exit code 1'

💚 Flaky test report

Tests succeeded.

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

• /test : Re-trigger the build.

• /package : Generate the packages and run the E2E tests.

• /beats-tester : Run the installation tests with beats-tester.

• run elasticsearch-ci/docs : Re-trigger the docs validation. (use unformatted text in the comment!)

[elasticmachine]

💔 Build Failed

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Start Time: 2023-12-21T10:57:09.356+0000

• Duration: 129 min 56 sec

Test stats 🧪

Test	Results
Failed	0
Passed	28729
Skipped	2015
Total	30744

Steps errors

Expand to view the steps failures

x-pack/dockerlogbeat-unitTest - mage build unitTest

• Took 2 min 36 sec . View more details here
• Description: mage build unitTest

x-pack/dockerlogbeat-unitTest - mage build unitTest

• Took 1 min 52 sec . View more details here
• Description: mage build unitTest

x-pack/dockerlogbeat-unitTest - mage build unitTest

• Took 1 min 53 sec . View more details here
• Description: mage build unitTest

Error signal

• Took 0 min 0 sec . View more details here
• Description: Error 'hudson.AbortException: script returned exit code 1'

💚 Flaky test report

Tests succeeded.

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

• /test : Re-trigger the build.

• /package : Generate the packages and run the E2E tests.

• /beats-tester : Run the installation tests with beats-tester.

• run elasticsearch-ci/docs : Re-trigger the docs validation. (use unformatted text in the comment!)

[elasticmachine]

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Start Time: 2023-12-21T16:52:41.894+0000

• Duration: 174 min 24 sec

Test stats 🧪

Test	Results
Failed	0
Passed	28732
Skipped	2015
Total	30747

💚 Flaky test report

Tests succeeded.

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

• /test : Re-trigger the build.

• /package : Generate the packages and run the E2E tests.

• /beats-tester : Run the installation tests with beats-tester.

• run elasticsearch-ci/docs : Re-trigger the docs validation. (use unformatted text in the comment!)

[elasticmachine]

❕ Build Aborted

There is a new build on-going so the previous on-going builds have been aborted.

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Start Time: 2023-12-22T17:12:53.432+0000

• Duration: 129 min 57 sec

Test stats 🧪

Test	Results
Failed	0
Passed	28113
Skipped	2010
Total	30123

Steps errors

Expand to view the steps failures

filebeat-goIntegTest - mage goIntegTest

• Took 5 min 57 sec . View more details here
• Description: mage goIntegTest

metricbeat-pythonIntegTest - mage pythonIntegTest

• Took 31 min 27 sec . View more details here
• Description: mage pythonIntegTest

x-pack/filebeat-windows-2022-windows-2022 - mage build unitTest

• Took 7 min 21 sec . View more details here
• Description: mage build unitTest

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

• /test : Re-trigger the build.

• /package : Generate the packages and run the E2E tests.

• /beats-tester : Run the installation tests with beats-tester.

• run elasticsearch-ci/docs : Re-trigger the docs validation. (use unformatted text in the comment!)

[elasticmachine]

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Duration: 172 min 52 sec

❕ Flaky test report

No test was executed to be analysed.

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

• /test : Re-trigger the build.

• /package : Generate the packages and run the E2E tests.

• /beats-tester : Run the installation tests with beats-tester.

• run elasticsearch-ci/docs : Re-trigger the docs validation. (use unformatted text in the comment!)

[mergify]

This pull request is now in conflicts. Could you fix it? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b log-raw-events-to-file upstream/log-raw-events-to-file
git merge upstream/main
git push upstream log-raw-events-to-file

[elasticmachine]

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Duration: 171 min 59 sec

❕ Flaky test report

No test was executed to be analysed.

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

• /test : Re-trigger the build.

• /package : Generate the packages and run the E2E tests.

• /beats-tester : Run the installation tests with beats-tester.

• run elasticsearch-ci/docs : Re-trigger the docs validation. (use unformatted text in the comment!)

[elasticmachine]

💔 Build Failed

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Duration: 9 min 12 sec

Pipeline error

This error is likely related to the pipeline itself. Click here
and then you will see the error (either incorrect syntax or an invalid configuration).

❕ Flaky test report

No test was executed to be analysed.

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

• /test : Re-trigger the build.

• /package : Generate the packages and run the E2E tests.

• /beats-tester : Run the installation tests with beats-tester.

• run elasticsearch-ci/docs : Re-trigger the docs validation. (use unformatted text in the comment!)

[elasticmachine]

💔 Build Failed

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Start Time: 2024-01-16T19:13:04.374+0000

• Duration: 130 min 53 sec

Test stats 🧪

Test	Results
Failed	0
Passed	31481
Skipped	1882
Total	33363

Steps errors

Expand to view the steps failures

Show only the first 10 steps failures

x-pack/filebeat-goIntegTest - mage goIntegTest

• Took 6 min 15 sec . View more details here
• Description: mage goIntegTest

x-pack/filebeat-goIntegTest - mage goIntegTest

• Took 3 min 47 sec . View more details here
• Description: mage goIntegTest

x-pack/filebeat-goIntegTest - mage goIntegTest

• Took 3 min 45 sec . View more details here
• Description: mage goIntegTest

x-pack/filebeat-windows-2022-windows-2022 - mage build unitTest

• Took 8 min 36 sec . View more details here
• Description: mage build unitTest

x-pack/filebeat-windows-2022-windows-2022 - mage build unitTest

• Took 3 min 40 sec . View more details here
• Description: mage build unitTest

x-pack/filebeat-windows-2022-windows-2022 - mage build unitTest

• Took 3 min 31 sec . View more details here
• Description: mage build unitTest

x-pack/filebeat-windows-2016-windows-2016 - mage build unitTest

• Took 7 min 26 sec . View more details here
• Description: mage build unitTest

x-pack/filebeat-windows-2016-windows-2016 - mage build unitTest

• Took 3 min 38 sec . View more details here
• Description: mage build unitTest

x-pack/filebeat-windows-2016-windows-2016 - mage build unitTest

• Took 3 min 36 sec . View more details here
• Description: mage build unitTest

Error signal

• Took 0 min 0 sec . View more details here
• Description: Error 'hudson.AbortException: script returned exit code 1'

💚 Flaky test report

Tests succeeded.

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

• /test : Re-trigger the build.

• /package : Generate the packages and run the E2E tests.

• /beats-tester : Run the installation tests with beats-tester.

• run elasticsearch-ci/docs : Re-trigger the docs validation. (use unformatted text in the comment!)

[elasticmachine]

💔 Build Failed

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Duration: 132 min 5 sec

Pipeline error

This error is likely related to the pipeline itself. Click here
and then you will see the error (either incorrect syntax or an invalid configuration).

❕ Flaky test report

No test was executed to be analysed.

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

• /test : Re-trigger the build.

• /package : Generate the packages and run the E2E tests.

• /beats-tester : Run the installation tests with beats-tester.

• run elasticsearch-ci/docs : Re-trigger the docs validation. (use unformatted text in the comment!)

[belimawr]

I'll update this once elastic/elastic-agent-libs#171 is merged.

[belimawr]

Rebased onto main to solve conflicts

[elasticmachine]

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Start Time: 2024-01-26T10:34:55.627+0000

• Duration: 196 min 41 sec

Test stats 🧪

Test	Results
Failed	0
Passed	28197
Skipped	1865
Total	30062

💚 Flaky test report

Tests succeeded.

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

• /test : Re-trigger the build.

• /package : Generate the packages and run the E2E tests.

• /beats-tester : Run the installation tests with beats-tester.

• run elasticsearch-ci/docs : Re-trigger the docs validation. (use unformatted text in the comment!)

[mergify]

This pull request is now in conflicts. Could you fix it? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b log-raw-events-to-file upstream/log-raw-events-to-file
git merge upstream/main
git push upstream log-raw-events-to-file

[mergify]

This pull request does not have a backport label.
If this is a bug or security fix, could you label this PR @belimawr? 🙏.
For such, you'll need to label your PR with:

• The upcoming major version of the Elastic Stack
• The upcoming minor version of the Elastic Stack (if you're not pushing a breaking change)

To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

• backport-v8./d.0 is the label to automatically backport to the 8./d branch. /d is the digit

[pierrehilbert]

Setting back to draft for now.

[belimawr]

Closing as the behaviour has changed and it was easier to start from a new branch. The new PR with the same feature: #38767