Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Initial start on parsing PAM messages #8756

Closed
wants to merge 1 commit into from
Closed

Initial start on parsing PAM messages #8756

wants to merge 1 commit into from

Conversation

opoplawski
Copy link

Is this a reasonable approach?

@elasticmachine
Copy link
Collaborator

Since this is a community submitted pull request, a Jenkins build has not been kicked off automatically. Can an Elastic organization member please verify the contents of this patch and then kick off a build manually?

@opoplawski
Copy link
Author

Need to figure out how to make the mappings...

jsoriano
jsoriano reviewed Oct 26, 2018
View reviewed changes
Copy link
Member

@jsoriano jsoriano left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @opoplawski for this contribution! This is looking good, could you also add some example logs for testing?

filebeat/module/system/auth/_meta/fields.yml Show resolved Hide resolved
filebeat/module/system/auth/ingest/pipeline.json Outdated
@@ -15,6 +15,8 @@
"%{SYSLOGTIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:system.auth.hostname} sudo(?:\\[%{POSINT:system.auth.pid}\\])?: \\s*%{DATA:system.auth.user} :( %{DATA:system.auth.sudo.error} ;)? TTY=%{DATA:system.auth.sudo.tty} ; PWD=%{DATA:system.auth.sudo.pwd} ; USER=%{DATA:system.auth.sudo.user} ; COMMAND=%{GREEDYDATA:system.auth.sudo.command}",
"%{SYSLOGTIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:system.auth.hostname} groupadd(?:\\[%{POSINT:system.auth.pid}\\])?: new group: name=%{DATA:system.auth.groupadd.name}, GID=%{NUMBER:system.auth.groupadd.gid}",
"%{SYSLOGTIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:system.auth.hostname} useradd(?:\\[%{POSINT:system.auth.pid}\\])?: new user: name=%{DATA:system.auth.useradd.name}, UID=%{NUMBER:system.auth.useradd.uid}, GID=%{NUMBER:system.auth.useradd.gid}, home=%{DATA:system.auth.useradd.home}, shell=%{DATA:system.auth.useradd.shell}$",
"%{SYSLOGTIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:system.auth.hostname}? %{DATA:system.auth.program}(?:\\[%{POSINT:system.auth.pid}\\])?: pam_%{DATA:system.auth.pam.module}\\(%{DATA:system.auth.pam.service}:%{DATA:system.auth.pam.type}\\): %{DATA:system.auth.pam.result}; logname=%{DATA:system.auth.pam.logname} uid=%{INT:system.auth.pam.uid} euid=%{INT:system.auth.pam.euid} tty=%{DATA:system.auth.pam.tty} ruser=%{DATA:system.auth.pam.ruser} rhost=%{DATA:system.auth.pam.rhost} user=%{DATA:system.auth.pam.user}",
"%{SYSLOGTIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:system.auth.hostname}? %{DATA:system.auth.program}(?:\\[%{POSINT:system.auth.pid}\\])?: pam_%{DATA:system.auth.pam.module}\\(%{DATA:system.auth.pam.service}:%{DATA:system.auth.pam.type}\\): received for user %{DATA:system.auth.pam.user}: %{POSINT:system.auth.pam.errno} \\(%{DATA:system.auth.pam.errmsg}\\)",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you also add some examples of the log lines these patterns are parsing? If you add them to filebeat/module/system/auth/test they will be used on testing.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm adding them to test.log, hope that's right.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As I mention in the other comment, you can also add them to an specific file.

filebeat/module/system/auth/_meta/fields.yml Outdated
The PAM result text, e.g. "authentication success".
- name: logname
description: >
The PAM logname.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What is this logname? maybe it'd be good to add an example here too.

filebeat/module/system/auth/_meta/fields.yml Show resolved Hide resolved
filebeat/module/system/auth/_meta/fields.yml Outdated Show resolved Hide resolved
filebeat/module/system/auth/_meta/fields.yml Outdated
- name: rhost
type: ip
description: >
The remote host IP address.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These fields could be remote.user and remote.ip.

filebeat/module/system/auth/_meta/fields.yml Outdated
type: long
description: >
The PAM result error number.
- name: errmsg
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You may want to index error message for full text search with type: text.

@opoplawski
Copy link
Author

At this point I can figure out what isn't matching in expected.json output.

@jsoriano
Copy link
Member

@opoplawski thanks for adding the test entries, they will be very helpful! You can also add them to a new file instead of using the existing one, all files that exist in test directories with a corresponding expected.json file are used in tests.

Completing the expected.json file can be a bit tricky, there is an option that helps on that, if you run the test with GENERATE=1 it will automatically complete the existing expected json files.
To run this test, the easy way is to run make system-tests, but this runs all tests and can take a while. Alternatively you can start the testing scenario with make start-environment from the filebeat directory, and then run only this specific test with:

make python-env
make filebeat.test
source build/python-env/bin/activate
GENERATE=1 INTEGRATION_TESTS=1 TEST_MODULES=haproxy BEAT_STRICT_PERMS=false ES_HOST=<easticsearch ip> nosetest tests/system/test_module.py

If you have problems with this let me know and I think we can leave it for another PR.

jsoriano
jsoriano reviewed Oct 28, 2018
View reviewed changes
filebeat/module/system/auth/_meta/fields.yml
type: long
description: >
The PAM result error number.
- name: message
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

type: text also for error.message?

filebeat/module/system/auth/_meta/fields.yml Outdated
The requesting user name.
- name: rhost
description: >
The requesting hostname or IP address.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

remote.user and remote.host instead of ruser and rhost? Just proposing, I am ok also with ruser and rhost if they are usual names for these values in the PAM context 🙂

@ruflin
Copy link
Member

ruflin commented Oct 29, 2018

This will need a changelog entry

ruflin
ruflin reviewed Oct 29, 2018
View reviewed changes
filebeat/module/system/auth/ingest/pipeline.json Outdated
@@ -15,22 +15,26 @@
"%{SYSLOGTIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:system.auth.hostname} sudo(?:\\[%{POSINT:system.auth.pid}\\])?: \\s*%{DATA:system.auth.user} :( %{DATA:system.auth.sudo.error} ;)? TTY=%{DATA:system.auth.sudo.tty} ; PWD=%{DATA:system.auth.sudo.pwd} ; USER=%{DATA:system.auth.sudo.user} ; COMMAND=%{GREEDYDATA:system.auth.sudo.command}",
"%{SYSLOGTIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:system.auth.hostname} groupadd(?:\\[%{POSINT:system.auth.pid}\\])?: new group: name=%{DATA:system.auth.groupadd.name}, GID=%{NUMBER:system.auth.groupadd.gid}",
"%{SYSLOGTIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:system.auth.hostname} useradd(?:\\[%{POSINT:system.auth.pid}\\])?: new user: name=%{DATA:system.auth.useradd.name}, UID=%{NUMBER:system.auth.useradd.uid}, GID=%{NUMBER:system.auth.useradd.gid}, home=%{DATA:system.auth.useradd.home}, shell=%{DATA:system.auth.useradd.shell}$",
"%{SYSLOGTIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:system.auth.hostname}? %{DATA:system.auth.program}(?:\\[%{POSINT:system.auth.pid}\\])?: %{GREEDYMULTILINE:system.auth.message}"
"%{SYSLOGTIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:system.auth.hostname}? %{DATA:system.auth.program}(?:\\[%{POSINT:system.auth.pid}\\])?: pam_%{DATA:system.auth.pam.module}\\(%{DATA:system.auth.pam.service}:%{DATA:system.auth.pam.type}\\): %{DATA:system.auth.pam.result}; logname=%{DATA:system.auth.pam.auth.logname} uid=%{INT:system.auth.pam.auth.uid} euid=%{INT:system.auth.pam.auth.euid} tty=%{DATA:system.auth.pam.auth.tty} ruser=%{DATA:system.auth.pam.auth.ruser} rhost=%{DATA:system.auth.pam.auth.rhost} user=%{DATA:system.auth.pam.user}$",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@original-brownbear I wonder if there are any recommendations from the ES ingest side on how we should handle that many ingest pipelines to make sure they stay performant.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ruflin I'm not sure I understand the question 100% but:

  • The number of configured ingest pipelines should not affect performance in and of itself I think.
  • @jakelandis merge per processor stats in ingest: processor stats elasticsearch#34202 so that's incoming as a tool to measure the impact of the various individual GROK configs that may help you?

Is that what you're looking for? :)

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry, I should have mentioned "multiple grok patterns" affect perfomance as we use many different grok patterns above.

Looking forward to the stats.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ruflin ah got it :) So I think you don't have to worry about this too much.
Grok compiles all the patterns into a single Regex for matching. So it's more a question of what the individual Regex pieces look like than how many you have.
For non-backtracking Regex things should scale better than linear with the length of the single Regex we compile.

@botelastic
Copy link

botelastic bot commented Jul 8, 2020

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@botelastic botelastic bot added Stalled needs_team Indicates that the issue/PR needs a Team:* label labels Jul 8, 2020
@botelastic botelastic bot removed the Stalled label Jul 8, 2020
@opoplawski
Copy link
Author

It may make sense to just start over, but I'll try to poke at this some more

@elasticmachine
Copy link
Collaborator

elasticmachine commented Jul 8, 2020
edited
Loading

❕ Build Aborted

The PR is not allowed to run in the CI yet

Pipeline View Test View Changes Artifacts

Expand to view the summary

Build stats

  • Build Cause: [Branch indexing]

  • Reason: The PR is not allowed to run in the CI yet

  • Start Time: 2020-07-13T13:43:07.669+0000

  • Duration: 6 min 38 sec

  • Commit: 5b9c78f

Steps errors

Expand to view the steps failures

  • Name: Error signal

    • Description: githubPrCheckApproved: The PR is not allowed to run in the CI yet. (Only users with write permission

    • Duration: 0 min 0 sec

    • Start Time: 2020-07-13T13:47:41.015+0000

    • log

Log output

Expand to view the last 100 lines of log output 

[2020-07-13T13:48:03.377Z] Stage "Elastic Agent x-pack" skipped due to earlier failure(s)
[2020-07-13T13:48:03.453Z] Stage "Elastic Agent x-pack Windows" skipped due to earlier failure(s)
[2020-07-13T13:48:03.483Z] Stage "Elastic Agent Mac OS X" skipped due to earlier failure(s)
[2020-07-13T13:48:03.569Z] Stage "Filebeat oss" skipped due to earlier failure(s)
[2020-07-13T13:48:03.630Z] Stage "Filebeat x-pack" skipped due to earlier failure(s)
[2020-07-13T13:48:03.646Z] Stage "Filebeat Mac OS X" skipped due to earlier failure(s)
[2020-07-13T13:48:03.679Z] Stage "Filebeat x-pack Mac OS X" skipped due to earlier failure(s)
[2020-07-13T13:48:03.748Z] Stage "Filebeat Windows" skipped due to earlier failure(s)
[2020-07-13T13:48:03.776Z] Stage "Filebeat x-pack Windows" skipped due to earlier failure(s)
[2020-07-13T13:48:03.807Z] Stage "Heartbeat" skipped due to earlier failure(s)
[2020-07-13T13:48:03.856Z] Stage "Auditbeat oss Linux" skipped due to earlier failure(s)
[2020-07-13T13:48:03.879Z] Stage "Auditbeat crosscompile" skipped due to earlier failure(s)
[2020-07-13T13:48:03.919Z] Stage "Auditbeat oss Mac OS X" skipped due to earlier failure(s)
[2020-07-13T13:48:03.959Z] Stage "Auditbeat oss Windows" skipped due to earlier failure(s)
[2020-07-13T13:48:04.022Z] Stage "Auditbeat x-pack" skipped due to earlier failure(s)
[2020-07-13T13:48:04.063Z] Stage "Auditbeat x-pack Mac OS X" skipped due to earlier failure(s)
[2020-07-13T13:48:04.109Z] Stage "Auditbeat x-pack Windows" skipped due to earlier failure(s)
[2020-07-13T13:48:04.134Z] Stage "Libbeat" skipped due to earlier failure(s)
[2020-07-13T13:48:04.169Z] Stage "Libbeat x-pack" skipped due to earlier failure(s)
[2020-07-13T13:48:04.184Z] Stage "Metricbeat OSS Unit tests" skipped due to earlier failure(s)
[2020-07-13T13:48:04.214Z] Stage "Metricbeat OSS Integration tests" skipped due to earlier failure(s)
[2020-07-13T13:48:04.239Z] Stage "Metricbeat Python integration tests" skipped due to earlier failure(s)
[2020-07-13T13:48:04.338Z] Stage "Metricbeat x-pack" skipped due to earlier failure(s)
[2020-07-13T13:48:04.349Z] Stage "Metricbeat crosscompile" skipped due to earlier failure(s)
[2020-07-13T13:48:04.365Z] Stage "Metricbeat Mac OS X" skipped due to earlier failure(s)
[2020-07-13T13:48:04.403Z] Stage "Metricbeat x-pack Mac OS X" skipped due to earlier failure(s)
[2020-07-13T13:48:04.423Z] Stage "Metricbeat Windows" skipped due to earlier failure(s)
[2020-07-13T13:48:04.448Z] Stage "Metricbeat x-pack Windows" skipped due to earlier failure(s)
[2020-07-13T13:48:04.514Z] Stage "Packetbeat" skipped due to earlier failure(s)
[2020-07-13T13:48:04.522Z] Stage "dockerlogbeat" skipped due to earlier failure(s)
[2020-07-13T13:48:04.539Z] Stage "Winlogbeat" skipped due to earlier failure(s)
[2020-07-13T13:48:04.557Z] Stage "Winlogbeat Windows x-pack" skipped due to earlier failure(s)
[2020-07-13T13:48:04.586Z] Stage "Functionbeat" skipped due to earlier failure(s)
[2020-07-13T13:48:04.618Z] Stage "Journalbeat" skipped due to earlier failure(s)
[2020-07-13T13:48:04.634Z] Stage "Generators" skipped due to earlier failure(s)
[2020-07-13T13:48:04.671Z] Stage "Kubernetes" skipped due to earlier failure(s)
[2020-07-13T13:48:05.701Z] Stage "Heartbeat" skipped due to earlier failure(s)
[2020-07-13T13:48:05.732Z] Stage "Libbeat" skipped due to earlier failure(s)
[2020-07-13T13:48:05.813Z] Stage "Metricbeat x-pack" skipped due to earlier failure(s)
[2020-07-13T13:48:05.844Z] Stage "Packetbeat" skipped due to earlier failure(s)
[2020-07-13T13:48:05.859Z] Stage "dockerlogbeat" skipped due to earlier failure(s)
[2020-07-13T13:48:05.896Z] Stage "Winlogbeat" skipped due to earlier failure(s)
[2020-07-13T13:48:05.935Z] Stage "Functionbeat" skipped due to earlier failure(s)
[2020-07-13T13:48:05.960Z] Stage "Journalbeat" skipped due to earlier failure(s)
[2020-07-13T13:48:06.015Z] Stage "Generators" skipped due to earlier failure(s)
[2020-07-13T13:48:13.737Z] Failed in branch Elastic Agent x-pack
[2020-07-13T13:48:13.782Z] Failed in branch Elastic Agent x-pack Windows
[2020-07-13T13:48:13.796Z] Failed in branch Elastic Agent Mac OS X
[2020-07-13T13:48:13.858Z] Failed in branch Filebeat oss
[2020-07-13T13:48:13.881Z] Failed in branch Filebeat x-pack
[2020-07-13T13:48:13.895Z] Failed in branch Filebeat Mac OS X
[2020-07-13T13:48:13.920Z] Failed in branch Filebeat x-pack Mac OS X
[2020-07-13T13:48:13.945Z] Failed in branch Filebeat Windows
[2020-07-13T13:48:13.961Z] Failed in branch Filebeat x-pack Windows
[2020-07-13T13:48:13.978Z] Failed in branch Auditbeat oss Linux
[2020-07-13T13:48:14.017Z] Failed in branch Auditbeat crosscompile
[2020-07-13T13:48:14.116Z] Failed in branch Auditbeat oss Mac OS X
[2020-07-13T13:48:14.206Z] Failed in branch Auditbeat oss Windows
[2020-07-13T13:48:14.252Z] Failed in branch Auditbeat x-pack
[2020-07-13T13:48:14.264Z] Failed in branch Auditbeat x-pack Mac OS X
[2020-07-13T13:48:14.275Z] Failed in branch Auditbeat x-pack Windows
[2020-07-13T13:48:14.294Z] Failed in branch Libbeat x-pack
[2020-07-13T13:48:14.319Z] Failed in branch Metricbeat OSS Unit tests
[2020-07-13T13:48:14.344Z] Failed in branch Metricbeat OSS Integration tests
[2020-07-13T13:48:14.359Z] Failed in branch Metricbeat Python integration tests
[2020-07-13T13:48:14.445Z] Failed in branch Metricbeat crosscompile
[2020-07-13T13:48:14.540Z] Failed in branch Metricbeat Mac OS X
[2020-07-13T13:48:14.572Z] Failed in branch Metricbeat x-pack Mac OS X
[2020-07-13T13:48:14.587Z] Failed in branch Metricbeat Windows
[2020-07-13T13:48:14.628Z] Failed in branch Metricbeat x-pack Windows
[2020-07-13T13:48:14.650Z] Failed in branch Winlogbeat Windows x-pack
[2020-07-13T13:48:14.680Z] Failed in branch Kubernetes
[2020-07-13T13:48:18.448Z] Stage "Heartbeat" skipped due to earlier failure(s)
[2020-07-13T13:48:18.469Z] Stage "Libbeat" skipped due to earlier failure(s)
[2020-07-13T13:48:18.480Z] Stage "Metricbeat x-pack" skipped due to earlier failure(s)
[2020-07-13T13:48:18.496Z] Stage "Winlogbeat" skipped due to earlier failure(s)
[2020-07-13T13:48:18.512Z] Stage "Functionbeat" skipped due to earlier failure(s)
[2020-07-13T13:48:18.543Z] Stage "Generators" skipped due to earlier failure(s)
[2020-07-13T13:48:22.498Z] Failed in branch Packetbeat
[2020-07-13T13:48:22.530Z] Failed in branch dockerlogbeat
[2020-07-13T13:48:22.584Z] Failed in branch Journalbeat
[2020-07-13T13:48:27.061Z] Stage "Heartbeat" skipped due to earlier failure(s)
[2020-07-13T13:48:27.107Z] Stage "Libbeat" skipped due to earlier failure(s)
[2020-07-13T13:48:27.124Z] Stage "Functionbeat" skipped due to earlier failure(s)
[2020-07-13T13:48:27.332Z] Stage "Generators" skipped due to earlier failure(s)
[2020-07-13T13:48:28.172Z] Failed in branch Metricbeat x-pack
[2020-07-13T13:48:28.206Z] Failed in branch Winlogbeat
[2020-07-13T13:48:31.025Z] Failed in branch Heartbeat
[2020-07-13T13:48:31.046Z] Failed in branch Libbeat
[2020-07-13T13:48:31.061Z] Failed in branch Functionbeat
[2020-07-13T13:48:31.062Z] Stage "Generators" skipped due to earlier failure(s)
[2020-07-13T13:48:32.466Z] Failed in branch Generators
[2020-07-13T13:48:42.496Z] Running on Jenkins in /var/lib/jenkins/workspace/Beats_beats_PR-8756
[2020-07-13T13:48:42.840Z] [INFO] getVaultSecret: Getting secrets
[2020-07-13T13:48:43.127Z] Masking supported pattern matches of $VAULT_ADDR or $VAULT_ROLE_ID or $VAULT_SECRET_ID
[2020-07-13T13:48:45.751Z] + chmod 755 generate-build-data.sh
[2020-07-13T13:48:45.751Z] + ./generate-build-data.sh https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats/PR-8756/ https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats/PR-8756/runs/1 ABORTED 337759
[2020-07-13T13:48:45.751Z] INFO: curl https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats/PR-8756/runs/1/steps/?limit=10000 -o steps-info.json
[2020-07-13T13:48:47.100Z] INFO: curl https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats/PR-8756/runs/1/tests/?status=FAILED -o tests-errors.json
[2020-07-13T13:48:47.100Z] INFO: curl https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats/PR-8756/runs/1/log/ -o pipeline-log.txt

@andresrc andresrc added the Team:Services (Deprecated) Label for the former Integrations-Services team label Jul 16, 2020
@elasticmachine
Copy link
Collaborator

Pinging @elastic/integrations-services (Team:Services)

@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Jul 16, 2020
@botelastic
Copy link

botelastic bot commented Aug 15, 2020

Hi!
We just realized that we haven't looked into this PR in a while. We're sorry!

We're labeling this issue as Stale to make it hit our filters and make sure we get back to it in as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1.
Thank you for your contribution!

@botelastic botelastic bot added the Stalled label Aug 15, 2020
@andresrc andresrc requested a review from jsoriano August 17, 2020 14:25
@botelastic botelastic bot removed the Stalled label Aug 17, 2020
@jsoriano
Copy link
Member

Hey @opoplawski, I think we can go on with this change, but could you update the branch with master and run mage fmt update? There is a conflict.

We should review if it would make sense to use ECS for some of the fields, for example system.auth.pid could be moved to process.pid, and system.auth.pam.user to user.name. Take a look to the reference to check the available fields: https://www.elastic.co/guide/en/ecs/1.6/ecs-field-reference.html

Also this will need a changelog entry.

@elasticmachine
Copy link
Collaborator

Pinging @elastic/siem (Team:SIEM)

@jsoriano jsoriano requested a review from a team August 21, 2020 09:29
@botelastic
Copy link

botelastic bot commented Sep 20, 2020

Hi!
We just realized that we haven't looked into this PR in a while. We're sorry!

We're labeling this issue as Stale to make it hit our filters and make sure we get back to it in as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1.
Thank you for your contribution!

@botelastic botelastic bot added the Stalled label Sep 20, 2020
@botelastic
Copy link

botelastic bot commented Oct 20, 2020

Hi!
This PR has been stale for a while and we're going to close it as part of our cleanup procedure.
We appreciate your contribution and would like to apologize if we have not been able to review it, due to the current heavy load of the team.
Feel free to re-open this PR if you think it should stay open and is worth rebasing.
Thank you for your contribution!

@botelastic botelastic bot closed this Oct 20, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@original-brownbear original-brownbear original-brownbear left review comments

@ruflin ruflin ruflin left review comments

@jsoriano jsoriano Awaiting requested review from jsoriano

Assignees
No one assigned
Labels
enhancement Filebeat Filebeat module Stalled Team:Services (Deprecated) Label for the former Integrations-Services team
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@opoplawski @elasticmachine @jsoriano @ruflin @original-brownbear @andresrc