Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cloudflare_logpush: fix mapping of url fields #5904

Merged
merged 2 commits into from
Apr 19, 2023
Merged

cloudflare_logpush: fix mapping of url fields #5904

merged 2 commits into from
Apr 19, 2023

Conversation

efd6
Copy link
Contributor

@efd6 efd6 commented Apr 18, 2023
edited
Loading

What does this PR do?

Previously the url fields were being populated by the referrer URL parts in the http_request datastream and the request fields were incompletely filled in the firewall_events datastream.

The use of the uri_parts processor to populate the url fields is a little troubling in the http_request datastream as the field used, ClientRequestURI, is not a URL and is arguably not even a URI without the context of the other ClientRequest* fields.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.

Author's Checklist

  • [ ]

How to test this PR locally

Related issues

Screenshots

@efd6 efd6 added bug Something isn't working, use only for issues Team:Security-External Integrations Integration:cloudflare_logpush Cloudflare Logpush labels Apr 18, 2023
@efd6 efd6 self-assigned this Apr 18, 2023
@efd6
cloudflare_logpush: fix mapping of url fields
ea4f2c5 
Previously the url fields were being populated by the referrer URL parts
in the http_request datastream and the request fields were incompletely
filled in the firewall_events datastream.

The use of the uri_parts processor to populate the url fields is a little
troubling in the http_request datastream as the field used, ClientRequestURI,
is not a URL and is arguably not even a URI without the context of the
other ClientRequest* fields.
@efd6 efd6 force-pushed the 5849-cloudflare_logpush branch from 959b7d3 to ea4f2c5 Compare April 18, 2023 02:14
@elasticmachine
Copy link

elasticmachine commented Apr 18, 2023
edited
Loading

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS
Pipeline View Test View Changes Artifacts preview preview

Expand to view the summary

Build stats

  • Start Time: 2023-04-19T21:56:50.208+0000

  • Duration: 22 min 39 sec

Test stats 🧪

Test Results
Failed 0
Passed 44
Skipped 0
Total 44

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

  • /test : Re-trigger the build.

@elasticmachine
Copy link

elasticmachine commented Apr 18, 2023
edited
Loading

🌐 Coverage report

Name Metrics % (covered/total) Diff
Packages 100.0% (7/7) 💚
Files 100.0% (7/7) 💚 3.043
Classes 100.0% (7/7) 💚 3.043
Methods 100.0% (89/89) 💚 8.345
Lines 93.91% (2421/2578) 👍 1.902
Conditionals 100.0% (0/0) 💚

@efd6 efd6 marked this pull request as ready for review April 18, 2023 02:49
@efd6 efd6 requested a review from a team as a code owner April 18, 2023 02:49
@elasticmachine
Copy link

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

kcreddy
kcreddy approved these changes Apr 19, 2023
View reviewed changes
Copy link
Contributor

@kcreddy kcreddy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minor suggestion. LGTM 👍🏼

...data_stream/firewall_event/_dev/test/pipeline/test-pipeline-firewall-event.log-expected.json Outdated
@@ -115,6 +115,9 @@
"preserve_duplicate_custom_fields"
],
"url": {
"domain": "xyz.example.com",
"path": "/abc/checkout",
"query": "?sourcerer=(default%3A(id%3A!n%2CselectedPatterns%3A!(eqldemo%2C%27logs-endpoint.*-eqldemo%27%2C%27logs-system.*-eqldemo%27%2C%27logs-windows.*-eqldemo%27%2Cmetricseqldemo)))\u0026timerange=(global%3A(linkTo%3A!()%2Ctimerange%3A(from%3A%272022-04-05T00%3A00%3A01.199Z%27%2CfromStr%3Anow-24h%2Ckind%3Arelative%2Cto%3A%272022-04-06T00%3A00%3A01.200Z%27%2CtoStr%3Anow))%2Ctimeline%3A(linkTo%3A!()%2Ctimerange%3A(from%3A%272022-04-05T00%3A00%3A01.201Z%27%2CfromStr%3Anow-24h%2Ckind%3Arelative%2Cto%3A%272022-04-06T00%3A00%3A01.202Z%27%2CtoStr%3Anow)))",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In the ECS doc, ? symbol is being excluded from url.query. Maybe we could also exclude it to follow the standard.

@efd6 efd6 merged commit 801fcd8 into elastic:main Apr 19, 2023
@elasticmachine
Copy link

Package cloudflare_logpush - 1.1.1 containing this change is available at https://epr.elastic.co/search?package=cloudflare_logpush

agithomas pushed a commit to agithomas/integrations that referenced this pull request Apr 22, 2023
@efd6 @agithomas
cloudflare_logpush: fix mapping of url fields (elastic#5904)
aa32a92 
Previously the url fields were being populated by the referrer URL parts
in the http_request datastream and the request fields were incompletely
filled in the firewall_events datastream.

The use of the uri_parts processor to populate the url fields is a little
troubling in the http_request datastream as the field used, ClientRequestURI,
is not a URL and is arguably not even a URI without the context of the
other ClientRequest* fields.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kcreddy kcreddy kcreddy approved these changes

Assignees

@efd6 efd6

Labels
bug Something isn't working, use only for issues Integration:cloudflare_logpush Cloudflare Logpush
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Cloudflare Logpush] url.path mapped to referrer path
3 participants
@efd6 @elasticmachine @kcreddy