Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[libbeat] New decode xml wineventlog processor #25115

Merged
merged 9 commits into from
Apr 20, 2021
Merged

[libbeat] New decode xml wineventlog processor #25115

merged 9 commits into from
Apr 20, 2021

Conversation

marc-gr
Copy link
Contributor

@marc-gr marc-gr commented Apr 15, 2021

What does this PR do?

Draft of the changes required to move wineventlog decoding to a new processor

From the discussion at #25109 to see which approach we prefer.

Why is it important?

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works
  • I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

@marc-gr marc-gr requested a review from leehinman April 15, 2021 16:06
@botelastic botelastic bot added needs_team Indicates that the issue/PR needs a Team:* label and removed needs_team Indicates that the issue/PR needs a Team:* label labels Apr 15, 2021
@elasticmachine
Copy link
Collaborator

elasticmachine commented Apr 15, 2021
edited by jenkins-beats-ci bot
Loading

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS
Pipeline View Test View Changes Artifacts preview

Expand to view the summary

Build stats

  • Build Cause: Pull request #25115 updated

  • Start Time: 2021-04-20T07:26:49.899+0000

  • Duration: 60 min 33 sec

  • Commit: cfcb4f1

Test stats 🧪

Test Results
Failed 0
Passed 47145
Skipped 5134
Total 52279

Trends 🧪

Image of Build Times

Image of Tests

💚 Flaky test report

Tests succeeded.

Expand to view the summary

Test stats 🧪

Test Results
Failed 0
Passed 47145
Skipped 5134
Total 52279

leehinman
leehinman requested changes Apr 15, 2021
View reviewed changes
Copy link
Contributor

@leehinman leehinman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

still testing but found 2 things

libbeat/processors/decode_xml_wineventlog/processor.go Show resolved Hide resolved
libbeat/processors/decode_xml_wineventlog/processor.go Outdated Show resolved Hide resolved
@marc-gr marc-gr marked this pull request as ready for review April 19, 2021 10:33
@elasticmachine
Copy link
Collaborator

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

@marc-gr marc-gr force-pushed the new_decode_xml_wineventlog_processor branch from c739801 to 3f8b423 Compare April 19, 2021 15:56
@marc-gr marc-gr mentioned this pull request Apr 19, 2021
Closed
5 tasks
@marc-gr marc-gr requested a review from leehinman April 19, 2021 15:58
leehinman
leehinman approved these changes Apr 19, 2021
View reviewed changes
Copy link
Contributor

@leehinman leehinman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Thank You.

@marc-gr marc-gr added the backport-v7.13.0 Automated backport with mergify label Apr 19, 2021
@mergify
Copy link
Contributor

mergify bot commented Apr 19, 2021

This pull request is now in conflicts. Could you fix it? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b new_decode_xml_wineventlog_processor upstream/new_decode_xml_wineventlog_processor
git merge upstream/master
git push upstream new_decode_xml_wineventlog_processor

andrewkroh
andrewkroh approved these changes Apr 19, 2021
View reviewed changes
libbeat/processors/decode_xml_wineventlog/docs/decode_xml_wineventlog.asciidoc
exist in the event are overwritten by keys from the decoded XML object. The
default value is `true`.

`map_ecs_fields`:: (Optional) A boolean that specifies whether to map additional ECS
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it would be more clear to explicitly state that this writes keys outside of target_field.

libbeat/processors/decode_xml_wineventlog/docs/decode_xml_wineventlog.asciidoc Outdated
`map_ecs_fields`:: (Optional) A boolean that specifies whether to map additional ECS
fields when possible. The default value is `true`.

`document_id`:: (Optional) XML key to use as the document ID. If configured, the
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think this will be useful for event log XML data. I can't think of a field that has enough uniqueness on its own. I'd would probably use a fingerprint processor to combine a few fields like record_id, channel, computer_name, timestamp if I wanted a unique _id.

@marc-gr marc-gr force-pushed the new_decode_xml_wineventlog_processor branch from ab53093 to 7eafa15 Compare April 20, 2021 06:13
@marc-gr marc-gr force-pushed the new_decode_xml_wineventlog_processor branch from 3fefb41 to cfcb4f1 Compare April 20, 2021 07:25
@marc-gr marc-gr merged commit 8cf8f51 into elastic:master Apr 20, 2021
@marc-gr marc-gr deleted the new_decode_xml_wineventlog_processor branch April 20, 2021 08:31
@mergify mergify bot mentioned this pull request Apr 20, 2021
Merged
v1v added a commit to v1v/beats that referenced this pull request Apr 20, 2021
@v1v
Merge remote-tracking branch 'upstream/master' into feature/customise…
2d9fb4d 
…-github-pr-comment-template

* upstream/master:
  [Ingest Manager] Keep http and logging config during enroll (elastic#25132)
  Refactor kubernetes autodiscover to avoid skipping short-living pods (elastic#24742)
  [libbeat] New decode xml wineventlog processor (elastic#25115)
  Add svc to agent k8s clusterRole (elastic#25146)
  Add awsfargate module to collect container logs from Amazon ECS on Fargate (elastic#25041)
  [Filebeat][Cisco ASA] log enhancement and performance (elastic#24744)
  Watch kubernetes namespaces for autodiscover metadata for pods (elastic#25117)
  Cyberark Privileged Access Security module (elastic#24803)
  [Elastic Agent] Log the container command output with LOGS_PATH (elastic#25150)
  Fix for tests after `device...` field has been removed (elastic#25141)
  [Ingest Manager] Restart process on output change (elastic#24907)
  Set --insecure in container when FLEET_SERVER_ENABLE and FLEET_INSECURE set. (elastic#25137)
  [filebeat] Update documentation / changelog / beta warnings for the syslog input (elastic#25047)
  Add support for ignore_inactive in filestream input (elastic#25036)
  Fix bug with annotations dedot config on k8s not used (elastic#25111)
marc-gr added a commit that referenced this pull request Apr 20, 2021
@marc-gr
[libbeat] New decode xml wineventlog processor (#25115)
5caf443 
* Move enrich raw functionality to common package

* Enrich Raw fields when possible in decode_xml

* Add ECS mappings when decoding wineventlog xml

* Add decode_xml_wineventlog processor

* Add missing fields to config checks

* Change event.code type

* Fix PR number in changelog

* Fix test

* Remove document_id and make docs more clear

(cherry picked from commit 8cf8f51)
marc-gr added a commit that referenced this pull request Apr 20, 2021
@mergify @marc-gr
[libbeat] New decode xml wineventlog processor (#25115) (#25165)
8f6b4ad 
* Move enrich raw functionality to common package

* Enrich Raw fields when possible in decode_xml

* Add ECS mappings when decoding wineventlog xml

* Add decode_xml_wineventlog processor

* Add missing fields to config checks

* Change event.code type

* Fix PR number in changelog

* Fix test

* Remove document_id and make docs more clear

(cherry picked from commit 8cf8f51)

Co-authored-by: Marc Guasch <marc-gr@users.noreply.github.com>
v1v added a commit to v1v/beats that referenced this pull request Apr 22, 2021
@v1v
Merge remote-tracking branch 'upstream/master' into feature/pin-testi…
82ffbd4 
…ng-versions-stack

* upstream/master: (28 commits)
  Add support for parsers in filestream input (elastic#24763)
  Skip flaky test TestFilestreamTruncate (elastic#25218)
  backport: Add 7.13 branch (elastic#25189)
  Update decode_json_fields.asciidoc (elastic#25056)
  [Elastic Agent] Fix status and inspect command to work inside running container (elastic#25204)
  Check native environment before starting (elastic#25186)
  Change event.code and winlog.event_id type (elastic#25176)
  [Ingest Manager] Proxy processes/elastic-agent to stats (elastic#25193)
  Update mergify backporting to 7.x and 7.13 (elastic#25196)
  [Heartbeat]: ensure synthetics version co* [Heartbeat]: ensure synthetics version compatability for suites  * address review and fix notice  * fix lowercase struct  * fix version conflict and rebase  * update go.* stuff to master  * fix notice.txt  * move validate inside sourcempatability for suites (elastic#24777)
  [Filebeat] Ensure Kibana audit `event.category` and `event.type` are still processed as strings. (elastic#25101)
  Update replace.asciidoc (elastic#25055)
  Fix nil panic when overwriting metadata (elastic#24741)
  [Filebeat] Add Malware Bazaar to Threat Intel Module (elastic#24570)
  Fix k8s svc selectors mapping (elastic#25169)
  [Ingest Manager] Make agent retry values for bootstraping configurable (elastic#25163)
  [Metricbeat] Remove elasticsearc.index.created from the SM code (elastic#25113)
  [Ingest Manager] Keep http and logging config during enroll (elastic#25132)
  Refactor kubernetes autodiscover to avoid skipping short-living pods (elastic#24742)
  [libbeat] New decode xml wineventlog processor (elastic#25115)
  ...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@leehinman leehinman leehinman approved these changes

@adriansr adriansr adriansr approved these changes

@andrewkroh andrewkroh andrewkroh approved these changes

Assignees
No one assigned
Labels
backport-v7.13.0 Automated backport with mergify enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@marc-gr @elasticmachine @andrewkroh @adriansr @leehinman