Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Filebeat] Add Pensando DFW Module #21063

Merged
merged 37 commits into from
Feb 15, 2021
Merged

[Filebeat] Add Pensando DFW Module #21063

merged 37 commits into from
Feb 15, 2021

Conversation

punisherVX
Copy link
Contributor

  • Enhancement

What does this PR do?

Utilized the instructions found here: https://www.elastic.co/guide/en/beats/devguide/current/filebeat-modules-devguide.html
This adds the Pensando distributed firewall (fileset) beat to the release.

Why is it important?

Many of our customers want an easy way to implement our FW logging in/on their Elastic instances.

Checklist

  • My code follows the style guidelines of this project
    - [ ] I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works
  • I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Author's Checklist

  • All files are in the correct place (dashboards, docs, module files, etc.)

How to test this PR locally

All tests were run using these guidelines to verify logs worked correctly: https://www.elastic.co/guide/en/beats/devguide/current/filebeat-modules-devguide.html#_test

Related issues

None

Use cases

Screenshots

Logs

@elasticmachine
Copy link
Collaborator

Since this is a community submitted pull request, a Jenkins build has not been kicked off automatically. Can an Elastic organization member please verify the contents of this patch and then kick off a build manually?

1 similar comment
@elasticmachine
Copy link
Collaborator

Since this is a community submitted pull request, a Jenkins build has not been kicked off automatically. Can an Elastic organization member please verify the contents of this patch and then kick off a build manually?

@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Sep 10, 2020
@elasticmachine
Copy link
Collaborator

elasticmachine commented Sep 10, 2020

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS
Pipeline View Test View Changes Artifacts preview

Expand to view the summary

Build stats

  • Build Cause: marc-gr commented: jenkins run tests

  • Start Time: 2021-02-15T15:52:08.727+0000

  • Duration: 54 min 32 sec

  • Commit: 494e8cc

Test stats 🧪

Test Results
Failed 0
Passed 13041
Skipped 2047
Total 15088

Trends 🧪

Image of Build Times

Image of Tests

💚 Flaky test report

Tests succeeded.

Expand to view the summary

Test stats 🧪

Test Results
Failed 0
Passed 13041
Skipped 2047
Total 15088

@elasticmachine
Copy link
Collaborator

Pinging @elastic/siem (Team:SIEM)

@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Sep 11, 2020
@adriansr adriansr requested a review from a team September 21, 2020 08:06
@adriansr
Copy link
Contributor

jenkins run the tests please

@botelastic
Copy link

botelastic bot commented Oct 21, 2020

Hi!
We just realized that we haven't looked into this PR in a while. We're sorry!

We're labeling this issue as Stale to make it hit our filters and make sure we get back to it in as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1.
Thank you for your contribution!

@botelastic botelastic bot added the Stalled label Oct 21, 2020
@punisherVX
Copy link
Contributor Author

This is still relevant (to us at least). 👍

@botelastic botelastic bot removed the Stalled label Oct 21, 2020
@punisherVX
Copy link
Contributor Author

This is still relevant and needs to be looked at. Thanks.

@botelastic
Copy link

botelastic bot commented Dec 13, 2020

Hi!
We just realized that we haven't looked into this PR in a while. We're sorry!

We're labeling this issue as Stale to make it hit our filters and make sure we get back to it in as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1.
Thank you for your contribution!

@botelastic botelastic bot added the Stalled label Dec 13, 2020
@punisherVX
Copy link
Contributor Author

Yep - still relevant 👍

Hi!
We just realized that we haven't looked into this PR in a while. We're sorry!

We're labeling this issue as Stale to make it hit our filters and make sure we get back to it in as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1.
Thank you for your contribution!

@botelastic botelastic bot removed the Stalled label Dec 14, 2020
@marc-gr
Copy link
Contributor

marc-gr commented Jan 12, 2021

@punisherVX could you please update your branch with master?

@marc-gr marc-gr self-assigned this Jan 12, 2021
Copy link
Contributor

@marc-gr marc-gr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is looking good!

After the comments I left and finishing up the docs should be in pretty good shape.

Maybe could be interesting to map some of the fields under pensando to ECS (I was thinking about filling up some network.* fields based on pensando.dfw.direction and pensando.dfw.protocol).

LMK if you need anything from our side to move this forward.

Thanks for your patience and hope to get it merged soon 😄

filebeat/module/pensando/_meta/config.yml Show resolved Hide resolved
filebeat/module/pensando/dfw/config/dfw.yml Outdated Show resolved Hide resolved
filebeat/module/pensando/dfw/ingest/pipeline.yml Outdated Show resolved Hide resolved
filebeat/module/pensando/dfw/_meta/fields.yml Outdated Show resolved Hide resolved
filebeat/module/pensando/dfw/test/test.log-expected.json Outdated Show resolved Hide resolved
Copy link
Contributor

@marc-gr marc-gr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I checked it out locally and some changes are required to fix the pipeline. Once done, you will need to run:

cd filebeat
TESTING_FILEBEAT_MODULES=pensando MODULES_PATH=module GENERATE=true mage -v pythonIntegTest

to regenerate the test golden files.

Please lmk if you need any help. Thanks!!

filebeat/module/pensando/dfw/ingest/pipeline.yml Outdated Show resolved Hide resolved
filebeat/module/pensando/dfw/ingest/pipeline.yml Outdated Show resolved Hide resolved
filebeat/module/pensando/dfw/ingest/pipeline.yml Outdated Show resolved Hide resolved
@marc-gr
Copy link
Contributor

marc-gr commented Feb 2, 2021

jenkins run tests

1 similar comment
@marc-gr
Copy link
Contributor

marc-gr commented Feb 8, 2021

jenkins run tests

Copy link
Contributor

@marc-gr marc-gr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry I missed that the first time!

Can you re-generate the golden files again after that change?

cd filebeat
TESTING_FILEBEAT_MODULES=pensando MODULES_PATH=module GENERATE=true mage -v pythonIntegTest

This time to double check all is good, run te tests without the GENERATE=true flag.

Thanks!!

filebeat/module/pensando/dfw/ingest/pipeline.yml Outdated Show resolved Hide resolved
@marc-gr
Copy link
Contributor

marc-gr commented Feb 10, 2021

jenkins run tests

Copy link
Contributor

@marc-gr marc-gr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@marc-gr marc-gr requested a review from andrewkroh February 10, 2021 11:44
Copy link
Member

@andrewkroh andrewkroh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just one minor comment to fix then it I think it will be good to go.

filebeat/module/pensando/dfw/_meta/fields.yml Outdated Show resolved Hide resolved
@marc-gr
Copy link
Contributor

marc-gr commented Feb 12, 2021

Please @punisherVX commit the changes after running cd filebeat; mage fmt update

@marc-gr
Copy link
Contributor

marc-gr commented Feb 15, 2021

jenkins run tests

@marc-gr marc-gr merged commit 4194408 into elastic:master Feb 15, 2021
@marc-gr
Copy link
Contributor

marc-gr commented Feb 15, 2021

Thanks @punisherVX for the hard work!

@punisherVX
Copy link
Contributor Author

Thanks @punisherVX for the hard work!

Thanks for all the help @marc-gr!! Great learning experience on how this is all done as well.

marc-gr pushed a commit to marc-gr/beats that referenced this pull request Feb 16, 2021
* Add Pensando module init

* explicitly define the ECS version per testing

* updates to docs from make update

* updates for pensando module

* updates to documentation and db screenshot

* add dashboard export to repo

* update to add pensando beat

* Update filebeat/module/pensando/dfw/config/dfw.yml

Co-authored-by: Marc Guasch <[email protected]>

* Update pipeline.yml

Condensed all "remove" fields to 1 list of fields.

* Update pipeline.yml

Do not remove the payload_raw field.

* Update filebeat/module/pensando/_meta/docs.asciidoc

Co-authored-by: Andrew Kroh <[email protected]>

* Update config.yml

Added syslog_host and syslog_port values as suggested.

* Update docs.asciidoc

Added documentation for syslog_host and syslog_port as suggested.

* Update pipeline.yml

Removing payload_raw - this and json are, essentially, the same field and no longer needed after parsing.

* Update pipeline.yml

Changed checks if values are != null to use the filebeat specific ignore_empty_value: true instead.

* Remove set of event.module

Remove the set param for event.module.  Filebeat should add this automatically.

* Apply suggestions from code review

Co-authored-by: Andrew Kroh <[email protected]>

* Update test.log

* Use convert instead of set for some fields

Changed ECS sets for IP addresses and ports to converts of type ip and
integer respectively.

* Updates for geoip and autonomous system

* add pensando dfw fields

* fixes from make -C filebeat update

* fixes for filebeat check

* make update changes

* Update filebeat/module/pensando/dfw/config/dfw.yml

Co-authored-by: Marc Guasch <[email protected]>

* Update filebeat/module/pensando/dfw/ingest/pipeline.yml

Co-authored-by: Marc Guasch <[email protected]>

* Update filebeat/module/pensando/dfw/ingest/pipeline.yml

Co-authored-by: Marc Guasch <[email protected]>

* Update filebeat/module/pensando/dfw/ingest/pipeline.yml

Co-authored-by: Marc Guasch <[email protected]>

* Update filebeat/module/pensando/dfw/ingest/pipeline.yml

Co-authored-by: Marc Guasch <[email protected]>

* remove old json file

* ran tests

* Update filebeat/module/pensando/dfw/ingest/pipeline.yml

Co-authored-by: Marc Guasch <[email protected]>

* gen after run of 'mage -v pythonIntegTest'

* Update fields.yml

* mage fmt update request

Co-authored-by: Marc Guasch <[email protected]>
Co-authored-by: Andrew Kroh <[email protected]>
(cherry picked from commit 4194408)
marc-gr added a commit that referenced this pull request Feb 16, 2021
* Add Pensando module init

* explicitly define the ECS version per testing

* updates to docs from make update

* updates for pensando module

* updates to documentation and db screenshot

* add dashboard export to repo

* update to add pensando beat

* Update filebeat/module/pensando/dfw/config/dfw.yml

Co-authored-by: Marc Guasch <[email protected]>

* Update pipeline.yml

Condensed all "remove" fields to 1 list of fields.

* Update pipeline.yml

Do not remove the payload_raw field.

* Update filebeat/module/pensando/_meta/docs.asciidoc

Co-authored-by: Andrew Kroh <[email protected]>

* Update config.yml

Added syslog_host and syslog_port values as suggested.

* Update docs.asciidoc

Added documentation for syslog_host and syslog_port as suggested.

* Update pipeline.yml

Removing payload_raw - this and json are, essentially, the same field and no longer needed after parsing.

* Update pipeline.yml

Changed checks if values are != null to use the filebeat specific ignore_empty_value: true instead.

* Remove set of event.module

Remove the set param for event.module.  Filebeat should add this automatically.

* Apply suggestions from code review

Co-authored-by: Andrew Kroh <[email protected]>

* Update test.log

* Use convert instead of set for some fields

Changed ECS sets for IP addresses and ports to converts of type ip and
integer respectively.

* Updates for geoip and autonomous system

* add pensando dfw fields

* fixes from make -C filebeat update

* fixes for filebeat check

* make update changes

* Update filebeat/module/pensando/dfw/config/dfw.yml

Co-authored-by: Marc Guasch <[email protected]>

* Update filebeat/module/pensando/dfw/ingest/pipeline.yml

Co-authored-by: Marc Guasch <[email protected]>

* Update filebeat/module/pensando/dfw/ingest/pipeline.yml

Co-authored-by: Marc Guasch <[email protected]>

* Update filebeat/module/pensando/dfw/ingest/pipeline.yml

Co-authored-by: Marc Guasch <[email protected]>

* Update filebeat/module/pensando/dfw/ingest/pipeline.yml

Co-authored-by: Marc Guasch <[email protected]>

* remove old json file

* ran tests

* Update filebeat/module/pensando/dfw/ingest/pipeline.yml

Co-authored-by: Marc Guasch <[email protected]>

* gen after run of 'mage -v pythonIntegTest'

* Update fields.yml

* mage fmt update request

Co-authored-by: Marc Guasch <[email protected]>
Co-authored-by: Andrew Kroh <[email protected]>
(cherry picked from commit 4194408)

Co-authored-by: Edward Arcuri <[email protected]>
v1v added a commit to v1v/beats that referenced this pull request Feb 16, 2021
…-arm

* upstream/master:
  [Metricbeat][Kubernetes] Extend state_node with more conditions (elastic#23905)
  [CI] googleStorageUploadExt step (elastic#24048)
  Check fields are documented for aws metricsets (elastic#23887)
  Update go-concert to 0.1.0 (elastic#23770)
  [Libbeat][New Processor] XML Decode (elastic#23678)
  Fix: bad substitution of API key (elastic#24036)
  [Filebeat] Add Pensando DFW Module (elastic#21063)
  [Filebeat] Check if processor is supported by ES version (elastic#23763)
  Syslog system tests: be more forgiving (elastic#24021)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants