Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Don't set dns.resolved_ip with invalid IP addresses #18436

Merged
merged 1 commit into from
May 12, 2020
Merged

Don't set dns.resolved_ip with invalid IP addresses #18436

merged 1 commit into from
May 12, 2020

Conversation

andrewkroh
Copy link
Member

What does this PR do?

Sometimes the DNS IP addresses from Sysmon in winlog.event_data.QueryResults are truncated.
The leads to mapping exceptions since the value is not of type ip in Elasticsearch.

To fix this the module will now filter any results that are not valid IP addresses.

Why is it important?

The issue causes mapping exceptions that could lead to dropped events.

Checklist

  • My code follows the style guidelines of this project
  • [ ] I have commented my code, particularly in hard-to-understand areas
  • [ ] I have made corresponding changes to the documentation
  • [ ] I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works
  • I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Related issues

Fixes #18432

@andrewkroh andrewkroh added bug Winlogbeat needs_backport PR is waiting to be backported to other branches. Dependency:SIEM labels May 11, 2020
@andrewkroh andrewkroh requested a review from a team as a code owner May 11, 2020 23:09
@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label May 11, 2020
@andrewkroh
Don't set dns.resolved_ip with invalid IP addresses
7b31d06 
Sometimes the DNS IP addresses from Sysmon in `winlog.event_data.QueryResults` are truncated.
The leads to mapping exceptions since the value is not of type `ip` in Elasticsearch.

To fix this the module will now filter any results that are not valid IP addresses.

Fixes elastic#18432
@andrewkroh andrewkroh force-pushed the bugfix/wlb/sysmon-dns-truncated branch from 1c266e4 to 7b31d06 Compare May 11, 2020 23:09
@andrewkroh andrewkroh mentioned this pull request May 11, 2020
Closed
@elasticmachine
Copy link
Collaborator

Pinging @elastic/siem (Team:SIEM)

@andrewkroh andrewkroh removed the needs_team Indicates that the issue/PR needs a Team:* label label May 11, 2020
@elasticmachine
Copy link
Collaborator

elasticmachine commented May 11, 2020
edited
Loading

💚 Build Succeeded

Pipeline View Test View Changes Artifacts preview stats

Expand to view the summary

Build stats

Test stats 🧪

Test Results
Failed 0
Passed 81
Skipped 0
Total 81

Steps errors

Expand to view the steps failures

  • Name: Report to Codecov

    • Description: curl -sSLo codecov https://codecov.io/bash for i in auditbeat filebeat heartbeat libbeat metricbeat packetbeat winlogbeat journalbeat do FILE="${i}/build/coverage/full.cov" if [ -f "${FILE}" ]; then bash codecov -f "${FILE}" fi done

    • Result: FAILURE

    • Duration: 2 min 22 sec

    • Start Time: 2020-05-11T23:34:18.769+0000

    • log

@andrewkroh andrewkroh requested a review from marc-gr May 12, 2020 13:12
@andrewkroh andrewkroh merged commit ecd0f72 into elastic:master May 12, 2020
@andrewkroh andrewkroh mentioned this pull request May 12, 2020
Merged
3 tasks
andrewkroh added a commit to andrewkroh/beats that referenced this pull request May 12, 2020
@andrewkroh
Don't set dns.resolved_ip with invalid IP addresses (elastic#18436)
e6f8012 
Sometimes the DNS IP addresses from Sysmon in `winlog.event_data.QueryResults` are truncated.
The leads to mapping exceptions since the value is not of type `ip` in Elasticsearch.

To fix this the module will now filter any results that are not valid IP addresses.

Fixes elastic#18432

(cherry picked from commit ecd0f72)
@andrewkroh andrewkroh added v7.9.0 and removed needs_backport PR is waiting to be backported to other branches. labels May 12, 2020
@andrewkroh andrewkroh mentioned this pull request May 12, 2020
Merged
3 tasks
andrewkroh added a commit to andrewkroh/beats that referenced this pull request May 12, 2020
@andrewkroh
Don't set dns.resolved_ip with invalid IP addresses (elastic#18436)
d306877 
Sometimes the DNS IP addresses from Sysmon in `winlog.event_data.QueryResults` are truncated.
The leads to mapping exceptions since the value is not of type `ip` in Elasticsearch.

To fix this the module will now filter any results that are not valid IP addresses.

Fixes elastic#18432

(cherry picked from commit ecd0f72)
andrewkroh added a commit that referenced this pull request May 13, 2020
@andrewkroh
Don't set dns.resolved_ip with invalid IP addresses (#18436) (#18469)
d279ff7 
Sometimes the DNS IP addresses from Sysmon in `winlog.event_data.QueryResults` are truncated.
The leads to mapping exceptions since the value is not of type `ip` in Elasticsearch.

To fix this the module will now filter any results that are not valid IP addresses.

Fixes #18432

(cherry picked from commit ecd0f72)
andrewkroh added a commit that referenced this pull request May 13, 2020
@andrewkroh
Don't set dns.resolved_ip with invalid IP addresses (#18436) (#18468)
5fd3577 
Sometimes the DNS IP addresses from Sysmon in `winlog.event_data.QueryResults` are truncated.
The leads to mapping exceptions since the value is not of type `ip` in Elasticsearch.

To fix this the module will now filter any results that are not valid IP addresses.

Fixes #18432

(cherry picked from commit ecd0f72)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@marc-gr marc-gr marc-gr approved these changes

Assignees
No one assigned
Labels
bug review v7.8.0 v7.9.0 Winlogbeat
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Winlogbeat] [Sysmon] dns.resolved_ip - not an IP string literal
3 participants
@andrewkroh @elasticmachine @marc-gr