Filebeat module sophos, add null safety check and support for an additional timestamp field. #27834
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Fix for missing sent_pkts elastic#27833
botelastic
bot
added
the
needs_team
💚 Build Succeeded
Expand to view the summary
Build stats
Test stats 🧪
Trends 🧪💚 Flaky test reportTests succeeded. Expand to view the summary
Test stats 🧪
|
|
This pull request is now in conflicts. Could you fix it? 🙏 |
|
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
botelastic
bot
removed
the
needs_team
adriansr
suggested changes
Sep 14, 2021
adriansr
added
backport-v7.15.0
marc-gr
added
the
needs_integration_sync
marc-gr
approved these changes
Sep 20, 2021
adriansr
approved these changes
Sep 21, 2021
mergify bot
pushed a commit
that referenced
this pull request
Sep 21, 2021
…tional timestamp field. (#27834) Sophos Version 18.5 sends sophos.xg.timestamp field. Closes #27833 Co-authored-by: Adrian Serrano <[email protected]> (cherry picked from commit 0741d0a)
mergify bot
pushed a commit
that referenced
this pull request
Sep 21, 2021
…tional timestamp field. (#27834) Sophos Version 18.5 sends sophos.xg.timestamp field. Closes #27833 Co-authored-by: Adrian Serrano <[email protected]> (cherry picked from commit 0741d0a)
adriansr
added a commit
that referenced
this pull request
Sep 23, 2021
…tional timestamp field. (#27834) (#28019) Sophos Version 18.5 sends sophos.xg.timestamp field. Closes #27833 (cherry picked from commit 0741d0a) Co-authored-by: Philipp Kahr <[email protected]> Co-authored-by: Adrian Serrano <[email protected]>
adriansr
added a commit
that referenced
this pull request
Sep 23, 2021
…tional timestamp field. (#27834) (#28020) Sophos Version 18.5 sends sophos.xg.timestamp field. Closes #27833 (cherry picked from commit 0741d0a) Co-authored-by: Philipp Kahr <[email protected]> Co-authored-by: Adrian Serrano <[email protected]>
Icedroid
pushed a commit
to Icedroid/beats
that referenced
this pull request
Nov 1, 2021
…tional timestamp field. (elastic#27834) Sophos Version 18.5 sends sophos.xg.timestamp field. Closes elastic#27833 Co-authored-by: Adrian Serrano <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What does this PR do?
Sophos in Version 18.5 sends a field called
timestampinstead of the olddateandtimefields. Since the pipeline does not perform any null safety checks on the set command, the pipeline fails.Additionally, sometimes
sent_pktsis not populated and atrimprocessor is called withoutignore_missingresulting in a failure.Why is it important?
Better pipeline error handling.
Checklist
I have commented my code, particularly in hard-to-understand areasI have made corresponding changes to the documentationI have made corresponding change to the default configuration filesI have added tests that prove my fix is effective or that my feature worksCHANGELOG.next.asciidocorCHANGELOG-developer.next.asciidoc.How to test this PR locally
Ingest simulate for the set processor
```json POST _ingest/pipeline/_simulate { "pipeline": { "processors": [ { "set": { "field": "_temp_.time", "value": "{{sophos.xg.date}} {{sophos.xg.time}}", "if": "ctx?.sophos?.xg?.date != null && ctx?.sophos?.xg?.time != null" } }, { "set": { "field": "_temp_.time", "value": "{{sophos.xg.timestamp}}", "if": "ctx?.sophos?.xg?.timestamp != null" } } ] }, "docs": [ { "_source": { "sophos": { "xg": { "date": "2021-08-12", "time": "10:00" } } } }, { "_source": { "sophos": { "xg": { "timestamp": "2021-08-12T10:00Z" } } } }, { "_source": { "sophos": { "xg": { "date": "2021-08-12", "time": "10:00", "timestamp": "2021-08-12T10:00Z" } } } }] } ```Related issues