Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cherry-pick #20696 to 7.x: [Filebeat] Sync with zeek package #20712

Merged
merged 1 commit into from
Aug 24, 2020
Merged

Cherry-pick #20696 to 7.x: [Filebeat] Sync with zeek package #20712

merged 1 commit into from
Aug 24, 2020
+184 −283

Conversation

leehinman
Copy link
Contributor

@leehinman leehinman commented Aug 20, 2020
edited by zube bot
Loading

Cherry-pick of PR #20696 to 7.x branch. Original message:

What does this PR do?

Syncs zeek filebeat module with zeek packages dataset. Specifically:

  • connection
    • remove redundant source.ip & destination.ip mapping
    • add null check for append to related.ip
    • remove duplicate setting of event.kind & event.category
  • dce_rpc
    • add null check for append to related.ip
  • dnp3
    • add append to related.ip
  • dns
    • move conversion of zeek.dns.ts to @timestamp to ingest pipeline
    • add event.created to ingest pipeline
  • intel
    • move conversion of zeek.intel.ts to @timestamp to ingest pipeline
  • socks
    • change processor for event.outcome from append to set
  • ssl
    • fix so event.type is correctly set
    • fix quoting of = in ingest pipeline
  • x509
    • convert pipeline to yaml format

Why is it important?

We should get same behavior when using Filebeat module vs package
dataset

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
    - [ ] I have made corresponding changes to the documentation
    - [ ] I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works
  • I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

How to test this PR locally

TESTING_FILEBEAT_MODULES=zeek mage -v pythonIngetTest

Related issues

@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Aug 20, 2020
@elasticmachine
Copy link
Collaborator

Pinging @elastic/siem (Team:SIEM)

@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Aug 20, 2020
@leehinman
Sync with zeek package (elastic#20696)
60f10fe 
- connection
  + remove redundant source.ip & destination.ip mapping
  + add null check for append to related.ip
  + remove duplicate setting of event.kind & event.category
- dce_rpc
  + add null check for append to related.ip
- dnp3
  + add append to related.ip
- dns
  + move conversion of zeek.dns.ts to @timestamp to ingest pipeline
  + add event.created to ingest pipeline
- intel
  + move conversion of zeek.intel.ts to @timestamp to ingest pipeline
- socks
  + change processor for event.outcome from append to set
- ssl
  + fix so event.type is correctly set
  + fix quoting of = in ingest pipeline
- x509
  + convert pipeline to yaml format

(cherry picked from commit 7de72d6)
@leehinman
Copy link
Contributor Author

run tests

@leehinman
Copy link
Contributor Author

jenkins run tests

@leehinman leehinman merged commit 16e2d64 into elastic:7.x Aug 24, 2020
@leehinman leehinman deleted the backport_20696_7.x branch October 5, 2020 19:06
@zube zube bot removed the [zube]: Done label Nov 23, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kaiyan-sheng kaiyan-sheng kaiyan-sheng approved these changes

Assignees
No one assigned
Labels
backport
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@leehinman @elasticmachine @kaiyan-sheng