Cherry-pick #15906 to 7.x: Fix Filebeat Zeek Weird Ingest Pipeline (#…

…16037) * Fix Filebeat Zeek Weird Ingest Pipeline (#15906) * Update pipeline.json * Fix zeek weird pipeline (cherry picked from commit 6b9c8cb) * update changelog Co-authored-by: xander33 <[email protected]>
elastic · Feb 4, 2020 · ab96f50 · ab96f50
1 parent ad5b2ba
commit ab96f50
Show file tree

Hide file tree

Showing 4 changed files with 21 additions and 2 deletions.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -89,6 +89,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Fixed dashboard for Cisco ASA Firewall. {issue}15420[15420] {pull}15553[15553]
 - Add shared_credential_file to cloudtrail config {issue}15652[15652] {pull}15656[15656]
 - Fix typos in zeek notice fileset config file. {issue}15764[15764] {pull}15765[15765]
+- Fix mapping error when zeek weird logs do not contain IP addresses. {pull}15906[15906]
 
 *Heartbeat*
 

diff --git a/x-pack/filebeat/module/zeek/weird/ingest/pipeline.json b/x-pack/filebeat/module/zeek/weird/ingest/pipeline.json
@@ -28,13 +28,15 @@
     {
       "set": {
         "field": "source.ip",
-        "value": "{{source.address}}"
+        "value": "{{source.address}}",
+        "if": "ctx?.source?.address != null"
       }
     },
     {
       "set": {
         "field": "destination.ip",
-        "value": "{{destination.address}}"
+        "value": "{{destination.address}}",
+        "if": "ctx?.destination?.address != null"
       }
     }
   ],

diff --git a/x-pack/filebeat/module/zeek/weird/test/weird-json.log b/x-pack/filebeat/module/zeek/weird/test/weird-json.log
@@ -1 +1,2 @@
 {"ts":1543877999.99354,"uid":"C1ralPp062bkwWt4e","id.orig_h":"192.168.1.1","id.orig_p":64521,"id.resp_h":"192.168.1.2","id.resp_p":53,"name":"dns_unmatched_reply","notice":false,"peer":"worker-6"}
+{"ts":1580227259.342809,"name":"non_ip_packet_in_ethernet","notice":false,"peer":"ens3f1-4"}
diff --git a/x-pack/filebeat/module/zeek/weird/test/weird-json.log-expected.json b/x-pack/filebeat/module/zeek/weird/test/weird-json.log-expected.json
@@ -21,5 +21,20 @@
         "zeek.weird.name": "dns_unmatched_reply",
         "zeek.weird.notice": false,
         "zeek.weird.peer": "worker-6"
+    },
+    {
+        "@timestamp": "2020-01-28T16:00:59.342Z",
+        "event.dataset": "zeek.weird",
+        "event.module": "zeek",
+        "fileset.name": "weird",
+        "input.type": "log",
+        "log.offset": 197,
+        "service.type": "zeek",
+        "tags": [
+            "zeek.weird"
+        ],
+        "zeek.weird.name": "non_ip_packet_in_ethernet",
+        "zeek.weird.notice": false,
+        "zeek.weird.peer": "ens3f1-4"
     }
 ]
Original file line number	Diff line number	Diff line change
		@@ -1 +1,2 @@
		{"ts":1543877999.99354,"uid":"C1ralPp062bkwWt4e","id.orig_h":"192.168.1.1","id.orig_p":64521,"id.resp_h":"192.168.1.2","id.resp_p":53,"name":"dns_unmatched_reply","notice":false,"peer":"worker-6"}
		{"ts":1580227259.342809,"name":"non_ip_packet_in_ethernet","notice":false,"peer":"ens3f1-4"}