From 10ff202c8d2877d4a81c5ad8824b35a9eab0b50c Mon Sep 17 00:00:00 2001 From: Andrew Kroh Date: Tue, 16 Apr 2024 14:37:26 -0400 Subject: [PATCH 1/3] x-pack/filebeat/input/entityanalytics - Fix log fmt Change logger statements to not use `%w` (which is only for wrapping in fmt.Errorf). Users reported seeing messages like: Failed to obtain some registered user data: %!w(*fmt.wrapError=&{unable to fetch users: unexpected status code: 404 body --- CHANGELOG.next.asciidoc | 1 + .../entityanalytics/provider/azuread/fetcher/graph/graph.go | 6 +++--- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 311b8dd2019..deab8388587 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -132,6 +132,7 @@ https://github.com/elastic/beats/compare/v8.8.1\...main[Check the HEAD diff] - Fix filestream's registry GC: registry entries are now removed from the in-memory and disk store when they're older than the set TTL {issue}36761[36761] {pull}38488[38488] - [threatintel] MISP splitting fix for empty responses {issue}38739[38739] {pull}38917[38917] - Prevent GCP Pub/Sub input blockage by increasing default value of `max_outstanding_messages` {issue}35029[35029] {pull}38985[38985] +- entity-analytics input: Fix format of some log messages. {pull}38990[38990] *Heartbeat* diff --git a/x-pack/filebeat/input/entityanalytics/provider/azuread/fetcher/graph/graph.go b/x-pack/filebeat/input/entityanalytics/provider/azuread/fetcher/graph/graph.go index 6cabdf887e8..01d2d707025 100644 --- a/x-pack/filebeat/input/entityanalytics/provider/azuread/fetcher/graph/graph.go +++ b/x-pack/filebeat/input/entityanalytics/provider/azuread/fetcher/graph/graph.go @@ -206,7 +206,7 @@ func (f *graph) Users(ctx context.Context, deltaLink string) ([]*fetcher.User, s for _, v := range response.Users { user, err := newUserFromAPI(v) if err != nil { - f.logger.Errorf("Unable to parse user from API: %w", err) + f.logger.Errorw("Unable to parse user from API", "error", err) continue } f.logger.Debugf("Got user %q from API", user.ID) @@ -258,7 +258,7 @@ func (f *graph) Devices(ctx context.Context, deltaLink string) ([]*fetcher.Devic for _, v := range response.Devices { device, err := newDeviceFromAPI(v) if err != nil { - f.logger.Errorf("Unable to parse device from API: %w", err) + f.logger.Errorw("Unable to parse device from API", "error", err) continue } f.logger.Debugf("Got device %q from API", device.ID) @@ -290,7 +290,7 @@ func (f *graph) addRegistered(ctx context.Context, device *fetcher.Device, typ s switch { case err == nil, errors.Is(err, nextLinkLoopError{"users"}), errors.Is(err, missingLinkError{"users"}): default: - f.logger.Errorf("Failed to obtain some registered user data: %w", err) + f.logger.Errorw("Failed to obtain some registered user data", "error", err) } for _, u := range users { set.Add(u.ID) From ea338340746287a5658611ba822c1b881a76f95a Mon Sep 17 00:00:00 2001 From: Andrew Kroh Date: Tue, 16 Apr 2024 14:56:25 -0400 Subject: [PATCH 2/3] Fix links to group-get and device-get --- x-pack/filebeat/docs/inputs/input-entity-analytics.asciidoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/x-pack/filebeat/docs/inputs/input-entity-analytics.asciidoc b/x-pack/filebeat/docs/inputs/input-entity-analytics.asciidoc index 676925f7176..e099bf3d247 100644 --- a/x-pack/filebeat/docs/inputs/input-entity-analytics.asciidoc +++ b/x-pack/filebeat/docs/inputs/input-entity-analytics.asciidoc @@ -498,13 +498,13 @@ This is a list of optional query parameters. The default is `["accountEnabled", [float] ===== `select.groups` -Override the default https://learn.microsoft.com/en-us/graph/api/user-get?view=graph-rest-1.0&tabs=http#optional-query-parameters[group query selections]. +Override the default https://learn.microsoft.com/en-us/graph/api/group-get?view=graph-rest-1.0&tabs=http#optional-query-parameters[group query selections]. This is a list of optional query parameters. The default is `["displayName", "members"]`. [float] ===== `select.devices` -Override the default https://learn.microsoft.com/en-us/graph/api/user-get?view=graph-rest-1.0&tabs=http#optional-query-parameters[device query selections]. +Override the default https://learn.microsoft.com/en-us/graph/api/device-get?view=graph-rest-1.0&tabs=http#optional-query-parameters[device query selections]. This is a list of optional query parameters. The default is `["accountEnabled", "deviceId", "displayName", "operatingSystem", "operatingSystemVersion", "physicalIds", "extensionAttributes", "alternativeSecurityIds"]`. From 878e57f1eb7b6e53ece400a3aa6386a5e7d7d00a Mon Sep 17 00:00:00 2001 From: Andrew Kroh Date: Tue, 16 Apr 2024 17:52:21 -0400 Subject: [PATCH 3/3] Adjust changelog msg --- CHANGELOG.next.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index deab8388587..4d89b75dbca 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -132,7 +132,7 @@ https://github.com/elastic/beats/compare/v8.8.1\...main[Check the HEAD diff] - Fix filestream's registry GC: registry entries are now removed from the in-memory and disk store when they're older than the set TTL {issue}36761[36761] {pull}38488[38488] - [threatintel] MISP splitting fix for empty responses {issue}38739[38739] {pull}38917[38917] - Prevent GCP Pub/Sub input blockage by increasing default value of `max_outstanding_messages` {issue}35029[35029] {pull}38985[38985] -- entity-analytics input: Fix format of some log messages. {pull}38990[38990] +- entity-analytics input: Improve structured logging. {pull}38990[38990] *Heartbeat*