filebeat,x-pack/filebeat: prevent master=>event.original rename failu…

…res (#39588)
elastic · May 17, 2024 · 6975676 · 6975676
1 parent 1628475
commit 6975676
Show file tree

Hide file tree

Showing 14 changed files with 16 additions and 0 deletions.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -271,6 +271,8 @@ https://github.com/elastic/beats/compare/v8.8.1\...main[Check the HEAD diff]
 - Improve logging of request and response with request trace logging in error conditions. {pull}39455[39455]
 - Add HTTP metrics to CEL input. {issue}39501[39501] {pull}39503[39503]
 - Add default user-agent to CEL HTTP requests. {issue}39502[39502] {pull}39587[39587]
+- Improve reindexing support in security module pipelines. {issue}38224[38224] {pull}[]
+- Improve reindexing support in security module pipelines. {issue}38224[38224] {pull}39588[39588]
 
 *Auditbeat*
 

diff --git a/filebeat/module/santa/log/ingest/pipeline.yml b/filebeat/module/santa/log/ingest/pipeline.yml
@@ -13,6 +13,8 @@ processors:
 - rename:
     field: message
     target_field: event.original
+    ignore_missing: true
+    if: ctx.event?.original == null
 - date:
     field: process.start
     target_field: process.start

diff --git a/x-pack/filebeat/module/checkpoint/firewall/ingest/pipeline.yml b/x-pack/filebeat/module/checkpoint/firewall/ingest/pipeline.yml
@@ -11,6 +11,7 @@ processors:
       field: message
       target_field: event.original
       ignore_missing: true
+      if: ctx.event?.original == null
   - grok:
       field: event.original
       patterns:

diff --git a/x-pack/filebeat/module/cisco/umbrella/ingest/pipeline.yml b/x-pack/filebeat/module/cisco/umbrella/ingest/pipeline.yml
@@ -12,6 +12,7 @@ processors:
 - set:
     field: event.original
     value: "{{message}}"
+    if: ctx.event?.original == null
 ############
 # DNS Logs #
 ############

diff --git a/x-pack/filebeat/module/coredns/log/ingest/pipeline-json.yml b/x-pack/filebeat/module/coredns/log/ingest/pipeline-json.yml
@@ -5,6 +5,7 @@ processors:
       field: message
       target_field: event.original
       ignore_failure: true
+      if: ctx.event?.original == null
   - json:
       field: event.original
       target_field: json

diff --git a/x-pack/filebeat/module/iptables/log/ingest/pipeline.yml b/x-pack/filebeat/module/iptables/log/ingest/pipeline.yml
@@ -54,6 +54,7 @@ processors:
 - rename:
     field: message
     target_field: event.original
+    if: ctx.event?.original == null
 - grok:
     field: iptables.ubiquiti.rule_set
     ignore_missing: true

diff --git a/x-pack/filebeat/module/panw/panos/ingest/pipeline.yml b/x-pack/filebeat/module/panw/panos/ingest/pipeline.yml
@@ -14,6 +14,7 @@ processors:
       field: message
       target_field: event.original
       ignore_failure: true
+      if: ctx.event?.original == null
 
 # Get the timezone from the IETF header if present. Otherwise the timezone
 # value added by the add_locale processor will be used.

diff --git a/x-pack/filebeat/module/threatintel/abusemalware/ingest/pipeline.yml b/x-pack/filebeat/module/threatintel/abusemalware/ingest/pipeline.yml
@@ -24,6 +24,7 @@ processors:
       field: message
       target_field: event.original
       ignore_missing: true
+      if: ctx.event?.original == null
   - json:
       field: event.original
       target_field: abusech.malware

diff --git a/x-pack/filebeat/module/threatintel/abuseurl/ingest/pipeline.yml b/x-pack/filebeat/module/threatintel/abuseurl/ingest/pipeline.yml
@@ -24,6 +24,7 @@ processors:
       field: message
       target_field: event.original
       ignore_missing: true
+      if: ctx.event?.original == null
   - json:
       field: event.original
       target_field: abusech.url

diff --git a/x-pack/filebeat/module/threatintel/anomali/ingest/pipeline.yml b/x-pack/filebeat/module/threatintel/anomali/ingest/pipeline.yml
@@ -24,6 +24,7 @@ processors:
       field: message
       target_field: event.original
       ignore_missing: true
+      if: ctx.event?.original == null
   - json:
       field: event.original
       target_field: anomali.limo

diff --git a/x-pack/filebeat/module/threatintel/malwarebazaar/ingest/pipeline.yml b/x-pack/filebeat/module/threatintel/malwarebazaar/ingest/pipeline.yml
@@ -24,6 +24,7 @@ processors:
       field: message
       target_field: event.original
       ignore_missing: true
+      if: ctx.event?.original == null
   - json:
       field: event.original
       target_field: abusech.malwarebazaar

diff --git a/x-pack/filebeat/module/threatintel/misp/ingest/pipeline.yml b/x-pack/filebeat/module/threatintel/misp/ingest/pipeline.yml
@@ -24,6 +24,7 @@ processors:
       field: message
       target_field: event.original
       ignore_missing: true
+      if: ctx.event?.original == null
   - json:
       field: event.original
       target_field: json

diff --git a/x-pack/filebeat/module/threatintel/otx/ingest/pipeline.yml b/x-pack/filebeat/module/threatintel/otx/ingest/pipeline.yml
@@ -24,6 +24,7 @@ processors:
       field: message
       target_field: event.original
       ignore_missing: true
+      if: ctx.event?.original == null
   - json:
       field: event.original
       target_field: otx

diff --git a/x-pack/filebeat/module/threatintel/threatq/ingest/pipeline.yml b/x-pack/filebeat/module/threatintel/threatq/ingest/pipeline.yml
@@ -24,6 +24,7 @@ processors:
       field: message
       target_field: event.original
       ignore_missing: true
+      if: ctx.event?.original == null
   - json:
       field: event.original
       target_field: json