Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Suricata] Updated mappings to leverage import_mappings functionality #7628

Closed
wants to merge 4 commits into from
Closed

[Suricata] Updated mappings to leverage import_mappings functionality #7628

wants to merge 4 commits into from

Conversation

vinit-chauhan
Copy link
Contributor

Enhancement

What does this PR do?

This PR here, Dumps the old way of defining ECS field mappings and uses import_mappings functionality.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.

Author's Checklist

  • [ ]

How to test this PR locally

Related issues

Screenshots

image

@vinit-chauhan vinit-chauhan requested a review from a team as a code owner September 1, 2023 01:19
@elasticmachine
Copy link

elasticmachine commented Sep 1, 2023
edited
Loading

❕ Build Aborted

The PR is not allowed to run in the CI yet

the below badges are clickable and redirect to their specific view in the CI or DOCS
Pipeline View Test View Changes Artifacts preview

Expand to view the summary

Build stats

  • Start Time: 2023-09-01T19:55:41.681+0000

  • Duration: 4 min 33 sec

Steps errors 2

Expand to view the steps failures

Load a resource file from a library
  • Took 0 min 0 sec . View more details here
  • Description: approval-list/elastic/integrations.yml
Error signal
  • Took 0 min 0 sec . View more details here
  • Description: githubApiCall: The REST API call https://api.github.com/orgs/elastic/members/vinit-chauhan return the message : java.lang.Exception: httpRequest: Failure connecting to the service https://api.github.com/orgs/elastic/members/vinit-chauhan : httpRequest: Failure connecting to the service https://api.github.com/orgs/elastic/members/vinit-chauhan : Code: 404Error: {"message":"User does not exist or is not a member of the organization","documentation_url":"https://docs.github.com/rest/orgs/members#check-organization-membership-for-a-user"}

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

  • /test : Re-trigger the build.

bhapas
bhapas reviewed Sep 1, 2023
View reviewed changes
packages/suricata/changelog.yml Outdated
@@ -1,4 +1,9 @@
# newer versions go on top
- version: "2.12.1"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

May be 2.13.0 as this is an enhancement

packages/suricata/docs/README.md
@@ -107,125 +107,14 @@ An example event for `eve` looks as following:

| Field | Description | Type |
|---|---|---|
| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date |
| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword |
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Where can the user refer to the other mappings that are imported. Isn't there a way to show imported mappings in the docs too , Probably users are used to it?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey @bhapas - Added those files back again. Would you please re-review it?

@andrewkroh
Copy link
Member

Until we have a solution for populating the index.query.default_field and the readme docs, perhaps we should leave the static ECS mappings in-place? import_mappings: true will function to help users that have added additional ECS fields through custom pipelines or other means.

@vinit-chauhan
Copy link
Contributor Author

Hey @andrewkroh - 👋🏻

So, the reason I've removed those static files is because, what if we have conflicts between them? And AFAIK, there were scenarios in past where we had conflicts between them.I wonder what would happen if there's a conflict between these static files and ECS imported from import_mappings.
I'll have to check whether it would consider the imported mappings or the static mapping?!

@vinit-chauhan
Copy link
Contributor Author

It seems like the issue has been taken care of in #7657. Hence Closing the PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bhapas bhapas bhapas left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Suricata] Missing ECS Field Mappings
4 participants
@vinit-chauhan @elasticmachine @andrewkroh @bhapas