Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cherry-pick #22975 to 7.x: [Filebeat] Add mime type detection for Elasticsearch module #22995

Merged
merged 3 commits into from
Dec 9, 2020
Merged

Cherry-pick #22975 to 7.x: [Filebeat] Add mime type detection for Elasticsearch module #22995

merged 3 commits into from
Dec 9, 2020

Conversation

andrewstucki
Copy link

@andrewstucki andrewstucki commented Dec 8, 2020
edited by zube bot
Loading

Cherry-pick of PR #22975 to 7.x branch. Original message:

What does this PR do?

Adds ECS 1.7 mime_type fields to the Elasticsearch audit log filebeat module and fixes a bug in the ingest pipeline that was truncating JSON payloads in the request_body field in plaintext audit logs.

I would imagine that this would result in a bit of a hit to the throughput of the module due to adding additional processing on the beats side to dice up and determine the mime type of the request. Initially I tried extracting the request_body from the plaintext payload with a beats-side dissect processor, but the lack of regex anchoring support causes it to misinterpret arrays inside a JSON request as terminators for the field itself, similar to how the unanchored grok in the pipeline was working. Since I couldn't get that to work properly, I just decided to drop into Javascript and anchor a regex that can extract the field.

If there are any alternatives that someone can think of, let me know.

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works
  • I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Related issues

[Filebeat] Add mime type detection for Elasticsearch module (elastic#…
a7d36cb 
…22975)

* Add mime type resolution for elasticsearch filebeat module

* Update changelog

(cherry picked from commit a34c01a)
@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Dec 8, 2020
@elasticmachine
Copy link
Collaborator

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Dec 8, 2020
@elasticmachine
Copy link
Collaborator

elasticmachine commented Dec 8, 2020
edited by jenkins-beats-ci bot
Loading

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS
Pipeline View Test View Changes Artifacts preview

Expand to view the summary

Build stats

  • Build Cause: Pull request #22995 updated

  • Start Time: 2020-12-08T21:13:38.673+0000

  • Duration: 45 min 32 sec

Test stats 🧪

Test Results
Failed 0
Passed 4640
Skipped 572
Total 5212

💚 Flaky test report

Tests succeeded.

Expand to view the summary

Test stats 🧪

Test Results
Failed 0
Passed 4640
Skipped 572
Total 5212

@andrewstucki andrewstucki merged commit 2f49b78 into elastic:7.x Dec 9, 2020
@andrewstucki andrewstucki deleted the backport_22975_7.x branch December 9, 2020 01:56
@zube zube bot removed the [zube]: Done label Mar 9, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@andrewkroh andrewkroh andrewkroh approved these changes

Assignees
No one assigned
Labels
backport
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@andrewstucki @elasticmachine @andrewkroh