Fix issues found in integrations after testing with logsdb #10919
Conversation
Consider making it possible to distinguish "logsdb" test failures in the GH issues reported by the testreporter. Like perhaps something in the title or body. |
🚀 Benchmarks reportPackage
|
| Data stream | Previous EPS | New EPS | Diff (%) | Result |
|---|---|---|---|---|
mail |
3115.26 | 2364.07 | -751.19 (-24.11%) | 💔 |
Package windows 👍(2) 💚(3) 💔(4)
Expand to view
| Data stream | Previous EPS | New EPS | Diff (%) | Result |
|---|---|---|---|---|
applocker_msi_and_script |
9174.31 | 6060.61 | -3113.7 (-33.94%) | 💔 |
applocker_packaged_app_deployment |
9009.01 | 7092.2 | -1916.81 (-21.28%) | 💔 |
powershell |
2074.69 | 1631.32 | -443.37 (-21.37%) | 💔 |
sysmon_operational |
2890.17 | 2267.57 | -622.6 (-21.54%) | 💔 |
To see the full report comment with /test benchmark fullreport
jsoriano
force-pushed
the
fix-integrations-logsdb
branch
from
6c1cdf6 to
db41d0f
Compare
jsoriano
force-pushed
the
fix-integrations-logsdb
branch
from
1dc989f to
74d8b50
Compare
| - name: answers.signer_name | ||
| type: keyword | ||
| - name: answers.type_covered | ||
| type: keyword |
There was a problem hiding this comment.
@elastic/sec-linux-platform I have found these many new fields in the dns data stream when enabling logsdb. It seems weird because I don't see them in the 8.16 daily builds https://buildkite.com/elastic/integrations/builds/15161.
Do you know where they can come from?
This can be tested with a stack started like this:
elastic-package stack up -v --version 8.16.0-SNAPSHOT -d -U stack.logsdb_enabled=true
There was a problem hiding this comment.
There is a similar issue with ti_mandiant_advantage package, it is failing for some undefined fields, but this issue doesn't happen in daily builds 🤔
There was a problem hiding this comment.
For the case of ti_mandiant_advantage, the failures happen when the format of the documents look like this:
"mandiant.threat_intelligence.ioc.attributed_associations.id": [
"malware--6c9e3c50-490d-5a8f-8ed6-56510a62055b",
"threat-actor--6ca32cd4-0c60-5f0b-91fb-e6e590f1f10b"
],
"mandiant.threat_intelligence.ioc.attributed_associations.name": [
"IHSBACKCONNECT",
"UNC961"
],
"mandiant.threat_intelligence.ioc.attributed_associations.type": [
"malware",
"threat-actor"
],
They pass the tests if they are formatted like this:
"mandiant": {
"threat_intelligence": {
"ioc": {
"attributed_associations": [
{
"id": "threat-actor--6ca32cd4-0c60-5f0b-91fb-e6e590f1f10b",
"name": "UNC961",
"type": "threat-actor"
},
{
"id": "malware--6c9e3c50-490d-5a8f-8ed6-56510a62055b",
"name": "IHSBACKCONNECT",
"type": "malware"
}
],
Looks like an issue with validation, because the field names are the same at the end.
There was a problem hiding this comment.
elastic/elastic-package#2054 may be needed, but then I wonder why tests are passing for the second format (without synthetic source).
There was a problem hiding this comment.
Confirmed, it is the same issue in network_traffic, ti_mandiant_advantage and possibly others like mongodb_atlas.
Something like elastic/elastic-package#2054 is required, testing this patch now.
There was a problem hiding this comment.
An additional change is needed to avoid the different validation results with and without logsdb for these cases elastic/elastic-package#2090
jsoriano
force-pushed
the
fix-integrations-logsdb
branch
2 times, most recently
from
f9c5293 to
25eb89b
Compare
jsoriano
force-pushed
the
fix-integrations-logsdb
branch
from
25eb89b to
fe41b2c
Compare
Bumps [github.com/elastic/elastic-package](https://github.com/elastic/elastic-package) from 0.102.0 to 0.103.0. - [Release notes](https://github.com/elastic/elastic-package/releases) - [Changelog](https://github.com/elastic/elastic-package/blob/main/.goreleaser.yml) - [Commits](elastic/elastic-package@v0.102.0...v0.103.0) --- updated-dependencies: - dependency-name: github.com/elastic/elastic-package dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>
…/github.com/elastic/elastic-package-0.103.0
…/elastic/elastic-package-0.103.0' into fix-integrations-logsdb
|
Changes in ti packages moved to #11008. |
Issue detected in #10919, there is a field in transforms that is not documented. This was only detected when enabling synthetic source (through logsdb), because only in this case we check fields that are not in the source, but are in the index, such as constant_keywords. Not having these fields defined will be a problem when we enable testing with logsdb, and/or when we fix validation of these fields.
|
Changes for nested fields moved to #11016. |
| @@ -737,6 +740,8 @@ | |||
| type: keyword | |||
| - name: auditd.data.result | |||
| type: keyword | |||
| - name: auditd.data.a* | |||
| type: keyword | |||
There was a problem hiding this comment.
These changes should not be needed as these are subfields of a flattened object, fixing this in elastic/elastic-package#2088.
andrewkroh
added
Integration:auditd_manager
💔 Build Failed
Failed CI Steps
History
cc @jsoriano |
|
|
All changes attempting to solve discrepancies in tests have been merged. The pending issues are already present when logsdb is not used. Closing this. |
Proposed commit message
After testing with logsdb we identified some issues in packages, some of these issues seem legit.
We address them here. They were not detected before because for testing with logsdb we are:
ecs@mappings.Issues solved:
A new daily job is added to test with logsdb.
elastic-package changes checklist
Checklist
changelog.ymlfile.Author's Checklist
Remove code to hardcode stack version and logsdb.This PR will be closed.Revert upgrade of elastic-package.This PR will be closed.network_traffic.dnsandti_mandiant_advantage.threat_intelligence? https://github.com/elastic/integrations/pull/10919/files#r1735806766 Should be fixed by Fix matching of leaf fields for objects elastic-package#2054.githubandtaniumshould be fixed by Misleading implementation of mappings of nested object subfields package-spec#784, as discussed in Add ecs@mappings multifields to all fields, not only external ones elastic-package#2055 (comment).