[Filebeat] Add field definitions for known Netflow/IPFIX vendor fields #23773
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
andrewkroh
added
enhancement
review
Filebeat
|
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
botelastic
bot
added
needs_team
andrewkroh
force-pushed
the
feature/fb/netflow-vendor-fields-yml
branch
from
51a8bd7 to
9939270
Compare
💚 Build Succeeded
Expand to view the summary
Build stats
Test stats 🧪
Trends 🧪💚 Flaky test reportTests succeeded. Expand to view the summary
Test stats 🧪
|
andrewkroh
force-pushed
the
feature/fb/netflow-vendor-fields-yml
branch
from
9939270 to
c145288
Compare
andrewkroh
removed
the
needs_backport
andrewkroh
commented
Feb 1, 2021
x-pack/filebeat/input/netflow/doc.go
Outdated
| @@ -5,3 +5,6 @@ | |||
| package netflow | |||
|
|
|||
| //go:generate go run fields_gen.go -output _meta/fields.yml --column-name=2 --column-type=3 --header _meta/fields.header.yml decoder/fields/ipfix-information-elements.csv | |||
| //go:generate go run fields_gen.go -output _meta/fields.yml --append --column-name=3 --column-type=4 --header _meta/fields.header.yml decoder/fields/cert_pen6871.csv | |||
There was a problem hiding this comment.
Looks like this approach of appending won't work b/c we need to merge the fields together to avoid duplicates.
andrewkroh
force-pushed
the
feature/fb/netflow-vendor-fields-yml
branch
from
596e848 to
a166af7
Compare
2 tasks
v1v
added a commit
to v1v/beats
that referenced
this pull request
Feb 17, 2021
…-arm * upstream/master: [CI] install docker-compose with retry (elastic#24069) Add nodes to filebeat-kubernetes.yaml ClusterRole - fixes elastic#24051 (elastic#24052) updating manifest files for filebeat threatintel module (elastic#24074) Add Zeek Signatures (elastic#23772) Update Beats to ECS 1.8.0 (elastic#23465) Support running Docker logging plugin on ARM64 (elastic#24034) Fix ec2 metricset fields.yml and add integration test (elastic#23726) Only build targz and zip versions of Beats if PACKAGES is set in agent (elastic#24060) [Filebeat] Add field definitions for known Netflow/IPFIX vendor fields (elastic#23773) [Elastic Agent] Enroll with Fleet Server (elastic#23865) [Filebeat] Convert logstash logEvent.action objects to strings (elastic#23944) [Ingest Management] Fix reloading of log level for services (elastic#24055) Add Agent standalone k8s manifest (elastic#23679)
v1v
added a commit
to v1v/beats
that referenced
this pull request
Feb 17, 2021
…dows-7 * upstream/master: (332 commits) Use ECS v1.8.0 (elastic#24086) Add support for postgresql csv logs (elastic#23334) [Heartbeat] Refactor config system (elastic#23467) [CI] install docker-compose with retry (elastic#24069) Add nodes to filebeat-kubernetes.yaml ClusterRole - fixes elastic#24051 (elastic#24052) updating manifest files for filebeat threatintel module (elastic#24074) Add Zeek Signatures (elastic#23772) Update Beats to ECS 1.8.0 (elastic#23465) Support running Docker logging plugin on ARM64 (elastic#24034) Fix ec2 metricset fields.yml and add integration test (elastic#23726) Only build targz and zip versions of Beats if PACKAGES is set in agent (elastic#24060) [Filebeat] Add field definitions for known Netflow/IPFIX vendor fields (elastic#23773) [Elastic Agent] Enroll with Fleet Server (elastic#23865) [Filebeat] Convert logstash logEvent.action objects to strings (elastic#23944) [Ingest Management] Fix reloading of log level for services (elastic#24055) Add Agent standalone k8s manifest (elastic#23679) [Metricbeat][Kubernetes] Extend state_node with more conditions (elastic#23905) [CI] googleStorageUploadExt step (elastic#24048) Check fields are documented for aws metricsets (elastic#23887) Update go-concert to 0.1.0 (elastic#23770) ...
andrewkroh
added a commit
to andrewkroh/integrations
that referenced
this pull request
Feb 18, 2021
Updates the vendor fields as a result of elastic/beats#23773.
andrewkroh
added a commit
to elastic/integrations
that referenced
this pull request
Mar 4, 2021
* Update fields for Netflow module Updates the vendor fields as a result of elastic/beats#23773. * Update changelog
eyalkraft
pushed a commit
to build-security/integrations
that referenced
this pull request
Mar 30, 2022
* Update fields for Netflow module Updates the vendor fields as a result of elastic/beats#23773. * Update changelog
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What does this PR do?
Several vendor specific fields are known to Filebeat (we built in the names/types of vendor field IDs into the input). Those fields were not included in the index template that we export. This updates the fields.yml file for the Filebeat netflow input to include those fields.
Why is it important?
By adding the field mapping it ensure that fields are mapped to the correct Elasticsearch data type (like
ip).Checklist
CHANGELOG.next.asciidocorCHANGELOG-developer.next.asciidoc.Related issues