[Question] Default agent

[andreycha]

ECS integration/library project(s) (e.g. Elastic.CommonSchema.Serilog): all logging framework integrations, 8.6.1

Hi, I wanted to ask, what is the goal of DefaultAgent? When I read description of agent field, it doesn't sound to me like Elastic.CommonSchema.* package is an agent.

Problem is that when log are later shipped by Filebeat, it adds some of its values, and whole agent.* field looks like a mixture of different values from different sources:

These fields look consistent like when log entries in the file originally do not have agent.* fields:

(It might be also the question that is worth asking Filebeat devs why not all fields get overwritten by Filebeat, upd: https://discuss.elastic.co/t/filebeat-7-17-6-does-not-overwrite-agent-type-and-agent-version-if-they-are-already-present/344521)

P.S. Sorry for the wrong label, Github suggests only templates for bugs and features.

[Mpdreamz]

The agent fieldset is documented as:

The agent fields contain the data about the software entity, if any, that collects, detects, or observes events on a host, or takes measurements on a host.

https://www.elastic.co/guide/en/ecs/current/ecs-agent.html

In that regard, Elastic.CommonSchema.Serilog is the agent that observes the logs.

We could potentially only include DefaultAgent when one of the datashippers is used to send data, need to mull over that idea a bit.