Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add 21 autogenerated filesets from rsa2elk devices #19713

Merged
merged 19 commits into from
Jul 14, 2020

Conversation

adriansr
Copy link
Contributor

@adriansr adriansr commented Jul 7, 2020

What does this PR do?

This adds the following experimental filesets based on Apache 2 license device parsers:

Why is it important?

This is an effort to generate as many as possible experimental input sources from a set of 300 Apache2-licensed log parsers.

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works
  • I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Notes to reviewers

The modules in this PR are autogenerated. All follow the same format:

sonicwall/
├── README.md
├── _meta
│   ├── config.yml
│   ├── docs.asciidoc
│   └── fields.yml
└── firewall
    ├── _meta
    │   └── fields.yml
    ├── config
    │   ├── input.yml
    │   ├── liblogparser.js
    │   └── pipeline.js
    ├── ingest
    │   └── pipeline.yml
    ├── manifest.yml
    └── test
        ├── generated.log
        └── generated.log-expected.json

The README.md, config.yml, docs.asciidoc and fields.yml are the same, basically replacing the module/vendor/product name.

Same for input.yml and manifest.yml. They define the same variables and inputs (tcp, udp and file).

The generated.log files are autogenerated by the same program that converts the original XML files to Javascript. Generating logs using parser's patterns (some with overlap) and user-defined field names is hard. Some generated logs make more sense than others.

A few selected modules contain real logs that we were able to obtain from other sources. Currently:

  • squid
  • zscaler

The liblogparser.js is the helper Javascript library for the parser. It's important to review this file. It's the same for all filesets.

The pipeline.js is the autogenerated pipeline. Contains all the parsers and actions defined in the source XML. We're aware that some of these parsers are outdated and some partly broken regarding extra whitespace in patterns. There will be an ongoing effort to fix them.

A couple of modules already existed:

  • cisco (new fileset nexus)
  • fortinet (new fileset clientendpoint)

In this case the _meta/config.yml and _meta/docs.asciidoc have been merged automatically.


Some parsers are currently broken (have tags: dissect_parsing_error). I'm working on fixing those.


The code for the generator is in https://github.com/adriansr/nwdevice2filebeat

@elasticmachine
Copy link
Collaborator

Pinging @elastic/siem (Team:SIEM)

@botelastic botelastic bot added needs_team Indicates that the issue/PR needs a Team:* label and removed needs_team Indicates that the issue/PR needs a Team:* label labels Jul 7, 2020
@elasticmachine
Copy link
Collaborator

elasticmachine commented Jul 7, 2020

💔 Tests Failed

Pipeline View Test View Changes Artifacts preview

Expand to view the summary

Build stats

  • Build Cause: [Pull request #19713 updated]

  • Start Time: 2020-07-13T22:08:53.798+0000

  • Duration: 74 min 25 sec

Test stats 🧪

Test Results
Failed 12
Passed 8532
Skipped 1572
Total 10116

Test errors

Expand to view the tests failures

  • Name: Build and Test / Libbeat / Libbeat oss / test_dev_tool_export_dashboard_by_id – test_dashboard.Test

    • Age: 1
    • Duration: 0.195
    • Error Details: Expected exit code to be 0, but it was 1
  • Name: Build and Test / Libbeat / Libbeat oss / test_dev_tool_export_dashboard_by_id_from_space – test_dashboard.Test

    • Age: 1
    • Duration: 0.009
    • Error Details: HTTPConnectionPool(host='kibana', port=5601): Max retries exceeded with url: /api/status (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7f533c8b9588>: Failed to establish a new connection: [Errno -2] Name or service not known'))
  • Name: Build and Test / Libbeat / Libbeat oss / test_dev_tool_export_dashboard_from_yml – test_dashboard.Test

    • Age: 1
    • Duration: 0.158
    • Error Details: Expected exit code to be 0, but it was 1
  • Name: Build and Test / Libbeat / Libbeat oss / test_export_dashboard_cmd_export_dashboard_by_id – test_dashboard.Test

    • Age: 1
    • Duration: 0.215
    • Error Details: Expected exit code to be 0, but it was 1
  • Name: Build and Test / Libbeat / Libbeat oss / test_export_dashboard_cmd_export_dashboard_by_id_and_decoding – test_dashboard.Test

    • Age: 1
    • Duration: 0.193
    • Error Details: Expected exit code to be 0, but it was 1
  • Name: Build and Test / Libbeat / Libbeat oss / test_export_dashboard_cmd_export_dashboard_by_id_unknown_id – test_dashboard.Test

    • Age: 1
    • Duration: 0.237
    • Error Details:
  • Name: Build and Test / Libbeat / Libbeat oss / test_export_dashboard_cmd_export_dashboard_from_not_existent_yml – test_dashboard.Test

    • Age: 1
    • Duration: 0.198
    • Error Details:
  • Name: Build and Test / Libbeat / Libbeat oss / test_export_dashboard_cmd_export_dashboard_from_yml – test_dashboard.Test

    • Age: 1
    • Duration: 0.141
    • Error Details: Expected exit code to be 0, but it was 1
  • Name: Build and Test / Libbeat / Libbeat oss / test_load_dashboard – test_dashboard.Test

    • Age: 1
    • Duration: 0.13
    • Error Details: Expected exit code to be 0, but it was 1
  • Name: Build and Test / Libbeat / Libbeat oss / test_load_dashboard_into_space – test_dashboard.Test

    • Age: 1
    • Duration: 0.021
    • Error Details: HTTPConnectionPool(host='kibana', port=5601): Max retries exceeded with url: /api/status (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7f533c8e4e10>: Failed to establish a new connection: [Errno -2] Name or service not known'))
  • Name: Build and Test / Libbeat / Libbeat oss / test_load_only_index_patterns – test_dashboard.Test

    • Age: 1
    • Duration: 0.187
    • Error Details: Expected exit code to be 0, but it was 1
  • Name: Build and Test / Libbeat / Libbeat oss / test_load_without_dashboard – test_dashboard.Test

    • Age: 1
    • Duration: 0.136
    • Error Details: Expected exit code to be 0, but it was 1

Steps errors

Expand to view the steps failures

  • Name: Make -C filebeat testsuite

    • Description: make -C filebeat testsuite

    • Duration: 7 min 2 sec

    • Start Time: 2020-07-13T22:32:10.368+0000

    • log

  • Name: Mage update build test

    • Description: mage update build test

    • Duration: 5 min 5 sec

    • Start Time: 2020-07-13T22:32:07.963+0000

    • log

  • Name: Make -C auditbeat testsuite

    • Description: make -C auditbeat testsuite

    • Duration: 8 min 31 sec

    • Start Time: 2020-07-13T22:32:15.890+0000

    • log

  • Name: Report to Codecov

    • Description: curl -sSLo codecov https://codecov.io/bash for i in auditbeat filebeat heartbeat libbeat metricbeat packetbeat winlogbeat journalbeat do FILE="${i}/build/coverage/full.cov" if [ -f "${FILE}" ]; then bash codecov -f "${FILE}" fi done

    • Duration: 2 min 22 sec

    • Start Time: 2020-07-13T22:39:48.828+0000

    • log

  • Name: Report to Codecov

    • Description: curl -sSLo codecov https://codecov.io/bash for i in auditbeat filebeat heartbeat libbeat metricbeat packetbeat winlogbeat journalbeat do FILE="${i}/build/coverage/full.cov" if [ -f "${FILE}" ]; then bash codecov -f "${FILE}" fi done

    • Duration: 2 min 22 sec

    • Start Time: 2020-07-13T22:42:10.671+0000

    • log

  • Name: Report to Codecov

    • Description: curl -sSLo codecov https://codecov.io/bash for i in auditbeat filebeat heartbeat libbeat metricbeat packetbeat winlogbeat journalbeat do FILE="${i}/build/coverage/full.cov" if [ -f "${FILE}" ]; then bash codecov -f "${FILE}" fi done

    • Duration: 1 min 27 sec

    • Start Time: 2020-07-13T22:33:31.180+0000

    • log

  • Name: Report to Codecov

    • Description: curl -sSLo codecov https://codecov.io/bash for i in auditbeat filebeat heartbeat libbeat metricbeat packetbeat winlogbeat journalbeat do FILE="${i}/build/coverage/full.cov" if [ -f "${FILE}" ]; then bash codecov -f "${FILE}" fi done

    • Duration: 0 min 9 sec

    • Start Time: 2020-07-13T22:33:38.126+0000

    • log

  • Name: Make -C libbeat testsuite

    • Description: make -C libbeat testsuite

    • Duration: 37 min 52 sec

    • Start Time: 2020-07-13T22:32:12.279+0000

    • log

  • Name: Make -C x-pack/libbeat testsuite

    • Description: make -C x-pack/libbeat testsuite

    • Duration: 6 min 6 sec

    • Start Time: 2020-07-13T22:32:06.768+0000

    • log

  • Name: Report to Codecov

    • Description: curl -sSLo codecov https://codecov.io/bash for i in auditbeat filebeat heartbeat libbeat metricbeat packetbeat winlogbeat journalbeat do FILE="${i}/build/coverage/full.cov" if [ -f "${FILE}" ]; then bash codecov -f "${FILE}" fi done

    • Duration: 1 min 27 sec

    • Start Time: 2020-07-13T22:36:44.289+0000

    • log

  • Name: Make -C packetbeat testsuite

    • Description: make -C packetbeat testsuite

    • Duration: 7 min 1 sec

    • Start Time: 2020-07-13T22:32:13.394+0000

    • log

  • Name: Make -C generator/_templates/metricbeat test-package

    • Description: make -C generator/_templates/metricbeat test-package

    • Duration: 8 min 36 sec

    • Start Time: 2020-07-13T22:35:24.684+0000

    • log

Log output

Expand to view the last 100 lines of log output

[2020-07-13T23:22:50.509Z] + FILE=libbeat/build/coverage/full.cov
[2020-07-13T23:22:50.509Z] + [ -f libbeat/build/coverage/full.cov ]
[2020-07-13T23:22:50.509Z] + FILE=metricbeat/build/coverage/full.cov
[2020-07-13T23:22:50.509Z] + [ -f metricbeat/build/coverage/full.cov ]
[2020-07-13T23:22:50.509Z] + FILE=packetbeat/build/coverage/full.cov
[2020-07-13T23:22:50.509Z] + [ -f packetbeat/build/coverage/full.cov ]
[2020-07-13T23:22:50.509Z] + FILE=winlogbeat/build/coverage/full.cov
[2020-07-13T23:22:50.509Z] + [ -f winlogbeat/build/coverage/full.cov ]
[2020-07-13T23:22:50.509Z] + FILE=journalbeat/build/coverage/full.cov
[2020-07-13T23:22:50.509Z] + [ -f journalbeat/build/coverage/full.cov ]
[2020-07-13T23:22:51.015Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19713/src/github.com/elastic/beats
[2020-07-13T23:22:51.318Z] + find . -type f -name TEST*.xml -path */build/* -delete
[2020-07-13T23:22:51.330Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19713/src/github.com/elastic/beats/Lint
[2020-07-13T23:22:51.411Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19713/src/github.com/elastic/beats/Elastic-Agent-Mac-OS-X
[2020-07-13T23:22:51.489Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19713/src/github.com/elastic/beats/Elastic-Agent-x-pack
[2020-07-13T23:22:51.564Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19713/src/github.com/elastic/beats/Auditbeat-oss-Mac-OS-X
[2020-07-13T23:22:51.637Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19713/src/github.com/elastic/beats/Winlogbeat-oss
[2020-07-13T23:22:51.712Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19713/src/github.com/elastic/beats/Auditbeat-x-pack-Mac-OS-X
[2020-07-13T23:22:51.792Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19713/src/github.com/elastic/beats/Auditbeat-crosscompile
[2020-07-13T23:22:51.869Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19713/src/github.com/elastic/beats/Dockerlogbeat
[2020-07-13T23:22:51.942Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19713/src/github.com/elastic/beats/Generators-Metricbeat-Linux
[2020-07-13T23:22:52.040Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19713/src/github.com/elastic/beats/Journalbeat-oss
[2020-07-13T23:22:52.113Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19713/src/github.com/elastic/beats/Functionbeat-x-pack
[2020-07-13T23:22:52.189Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19713/src/github.com/elastic/beats/Metricbeat-Mac-OS-X
[2020-07-13T23:22:52.285Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19713/src/github.com/elastic/beats/Filebeat-x-pack-Mac-OS-X
[2020-07-13T23:22:52.385Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19713/src/github.com/elastic/beats/Metricbeat-x-pack-Mac-OS-X
[2020-07-13T23:22:52.462Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19713/src/github.com/elastic/beats/Filebeat-x-pack
[2020-07-13T23:22:52.542Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19713/src/github.com/elastic/beats/Elastic-Agent-x-pack-Windows
[2020-07-13T23:22:52.617Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19713/src/github.com/elastic/beats/Metricbeat-OSS-Unit-tests
[2020-07-13T23:22:52.690Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19713/src/github.com/elastic/beats/Libbeat-x-pack
[2020-07-13T23:22:52.794Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19713/src/github.com/elastic/beats/Filebeat-oss
[2020-07-13T23:22:52.888Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19713/src/github.com/elastic/beats/Packetbeat-oss
[2020-07-13T23:22:52.966Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19713/src/github.com/elastic/beats/Auditbeat-oss-Linux
[2020-07-13T23:22:53.039Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19713/src/github.com/elastic/beats/Auditbeat-x-pack
[2020-07-13T23:22:53.117Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19713/src/github.com/elastic/beats/Auditbeat-oss-Windows
[2020-07-13T23:22:53.196Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19713/src/github.com/elastic/beats/Auditbeat-x-pack-Windows
[2020-07-13T23:22:53.283Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19713/src/github.com/elastic/beats/Winlogbeat-Windows-x-pack
[2020-07-13T23:22:53.362Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19713/src/github.com/elastic/beats/Filebeat-x-pack-Windows
[2020-07-13T23:22:53.440Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19713/src/github.com/elastic/beats/Filebeat-Mac-OS-X
[2020-07-13T23:22:53.519Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19713/src/github.com/elastic/beats/Metricbeat-crosscompile
[2020-07-13T23:22:53.593Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19713/src/github.com/elastic/beats/Heartbeat-oss
[2020-07-13T23:22:53.668Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19713/src/github.com/elastic/beats/Filebeat-Windows
[2020-07-13T23:22:53.741Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19713/src/github.com/elastic/beats/Winlogbeat-Windows
[2020-07-13T23:22:53.822Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19713/src/github.com/elastic/beats/Functionbeat-Mac-OS-X-x-pack
[2020-07-13T23:22:53.897Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19713/src/github.com/elastic/beats/Heartbeat-Mac-OS-X
[2020-07-13T23:22:53.971Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19713/src/github.com/elastic/beats/Metricbeat-x-pack-Windows
[2020-07-13T23:22:54.043Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19713/src/github.com/elastic/beats/Metricbeat-Windows
[2020-07-13T23:22:54.119Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19713/src/github.com/elastic/beats/Functionbeat-Windows
[2020-07-13T23:22:54.226Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19713/src/github.com/elastic/beats/Heartbeat-Windows
[2020-07-13T23:22:54.308Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19713/src/github.com/elastic/beats/Libbeat-oss
[2020-07-13T23:22:54.394Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19713/src/github.com/elastic/beats/Metricbeat-Python-integration-tests
[2020-07-13T23:22:54.481Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19713/src/github.com/elastic/beats/Metricbeat-OSS-Integration-tests
[2020-07-13T23:22:54.564Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19713/src/github.com/elastic/beats/Metricbeat-x-pack
[2020-07-13T23:22:54.938Z] + cat
[2020-07-13T23:22:54.938Z] + /usr/local/bin/runbld ./runbld-script
[2020-07-13T23:22:54.938Z] Picked up JAVA_TOOL_OPTIONS: -Dfile.encoding=UTF8
[2020-07-13T23:23:01.523Z] runbld>>> runbld started
[2020-07-13T23:23:01.523Z] runbld>>> 1.6.12/f45d832f2ba0aa2722ab4ec1fda8ad140f027f8b
[2020-07-13T23:23:02.906Z] runbld>>> The following profiles matched the job 'Beats/beats/PR-19713' in order of occurrence in the config (last value wins).
[2020-07-13T23:23:04.289Z] runbld>>> Debug logging enabled.
[2020-07-13T23:23:04.289Z] runbld>>> Storing result
[2020-07-13T23:23:04.289Z] runbld>>> Store result: created {:total 2, :successful 2, :failed 0} 1
[2020-07-13T23:23:04.289Z] runbld>>> BUILD: https://c150076387b5421f9154dfbf536e5c60.us-west1.gcp.cloud.es.io:9243/build-1587637540455/t/20200713232303-E151C80A
[2020-07-13T23:23:04.289Z] runbld>>> Adding system facts.
[2020-07-13T23:23:05.233Z] runbld>>> Adding vcs info for the latest commit:  bdf37be9d837f886ae31589ba23761953d7edd49
[2020-07-13T23:23:05.233Z] runbld>>> >>>>>>>>>>>> SCRIPT EXECUTION BEGIN >>>>>>>>>>>>
[2020-07-13T23:23:05.233Z] runbld>>> Adding /usr/lib/jvm/java-8-openjdk-amd64/bin to the path.
[2020-07-13T23:23:05.233Z] Processing JUnit reports with runbld...
[2020-07-13T23:23:05.233Z] + echo 'Processing JUnit reports with runbld...'
[2020-07-13T23:23:05.497Z] runbld>>> <<<<<<<<<<<< SCRIPT EXECUTION END <<<<<<<<<<<<
[2020-07-13T23:23:05.497Z] runbld>>> DURATION: 19ms
[2020-07-13T23:23:05.497Z] runbld>>> STDOUT: 40 bytes
[2020-07-13T23:23:05.497Z] runbld>>> STDERR: 49 bytes
[2020-07-13T23:23:05.497Z] runbld>>> WRAPPED PROCESS: SUCCESS (0)
[2020-07-13T23:23:05.497Z] runbld>>> Searching for build metadata in /var/lib/jenkins/workspace/Beats_beats_PR-19713/src/github.com/elastic/beats
[2020-07-13T23:23:06.439Z] runbld>>> Storing build metadata: 
[2020-07-13T23:23:06.439Z] runbld>>> Adding test report.
[2020-07-13T23:23:06.439Z] runbld>>> Searching for junit test output files with the pattern: TEST-.*\.xml$ in: /var/lib/jenkins/workspace/Beats_beats_PR-19713/src/github.com/elastic/beats
[2020-07-13T23:23:07.379Z] runbld>>> Found 109 test output files
[2020-07-13T23:23:07.953Z] runbld>>> No testsuite node found in /var/lib/jenkins/workspace/Beats_beats_PR-19713/src/github.com/elastic/beats/Metricbeat-x-pack/x-pack/metricbeat/build/TEST-go-integration-istio.xml
[2020-07-13T23:23:07.953Z] runbld>>> No testsuite node found in /var/lib/jenkins/workspace/Beats_beats_PR-19713/src/github.com/elastic/beats/Metricbeat-x-pack/x-pack/metricbeat/build/TEST-go-integration-tomcat.xml
[2020-07-13T23:23:07.953Z] runbld>>> No testsuite node found in /var/lib/jenkins/workspace/Beats_beats_PR-19713/src/github.com/elastic/beats/Metricbeat-x-pack/x-pack/metricbeat/build/TEST-go-integration-iis.xml
[2020-07-13T23:23:07.953Z] runbld>>> No testsuite node found in /var/lib/jenkins/workspace/Beats_beats_PR-19713/src/github.com/elastic/beats/Metricbeat-x-pack/x-pack/metricbeat/build/TEST-go-integration-openmetrics.xml
[2020-07-13T23:23:07.953Z] runbld>>> No testsuite node found in /var/lib/jenkins/workspace/Beats_beats_PR-19713/src/github.com/elastic/beats/Metricbeat-x-pack/x-pack/metricbeat/build/TEST-go-integration-activemq.xml
[2020-07-13T23:23:09.339Z] runbld>>> No testsuite node found in /var/lib/jenkins/workspace/Beats_beats_PR-19713/src/github.com/elastic/beats/Metricbeat-OSS-Integration-tests/metricbeat/build/TEST-go-integration-graphite.xml
[2020-07-13T23:23:09.339Z] runbld>>> No testsuite node found in /var/lib/jenkins/workspace/Beats_beats_PR-19713/src/github.com/elastic/beats/Metricbeat-OSS-Integration-tests/metricbeat/build/TEST-go-integration-windows.xml
[2020-07-13T23:23:09.339Z] runbld>>> Test output logs contained: Errors: 2 Failures: 10 Tests: 9970 Skipped: 1334
[2020-07-13T23:23:09.600Z] runbld>>> Storing result
[2020-07-13T23:23:09.600Z] runbld>>> FAILURES: 12
[2020-07-13T23:23:12.165Z] runbld>>> Store result: updated {:total 2, :successful 2, :failed 0} 2
[2020-07-13T23:23:12.165Z] runbld>>> BUILD: https://c150076387b5421f9154dfbf536e5c60.us-west1.gcp.cloud.es.io:9243/build-1587637540455/t/20200713232303-E151C80A
[2020-07-13T23:23:12.165Z] runbld>>> Email notification disabled by environment variable.
[2020-07-13T23:23:12.165Z] runbld>>> Slack notification disabled by environment variable.
[2020-07-13T23:23:17.918Z] Running on Jenkins in /var/lib/jenkins/workspace/Beats_beats_PR-19713
[2020-07-13T23:23:18.017Z] [INFO] getVaultSecret: Getting secrets
[2020-07-13T23:23:18.086Z] Masking supported pattern matches of $VAULT_ADDR or $VAULT_ROLE_ID or $VAULT_SECRET_ID
[2020-07-13T23:23:18.796Z] + chmod 755 generate-build-data.sh
[2020-07-13T23:23:18.796Z] + ./generate-build-data.sh https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats/PR-19713/ https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats/PR-19713/runs/6 FAILURE 4464738
[2020-07-13T23:23:18.796Z] INFO: curl https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats/PR-19713/runs/6/steps/?limit=10000 -o steps-info.json
[2020-07-13T23:23:20.139Z] INFO: curl https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats/PR-19713/runs/6/tests/?status=FAILED -o tests-errors.json

Copy link

@andrewstucki andrewstucki left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Did an initial scan through the first 1/3 or so of mappings. Awesome work @adriansr! This might take awhile to get through though :(

Made some comments on the field mappings, but most important changes IMO right now are:

  1. Drop the event.category fields for now since they're not currently mapping to ECS-allowed values
  2. user.name should be treated as a string rather than an array--dump everything under related.user that's currently under user.name and then, if we have time we can figure out which of the referenced user belongs under user.name.

"event.module": "squid",
"event.original": "1035368729.430 371 210.8.79.228 TCP_MISS/200 2136 GET http://www.fas.harvard.edu/~hpcws/nav/navbar_r3_c6.jpg - FIRST_PARENT_MISS/proxy2.syd.connect.com.au image/jpeg",
"fileset.name": "log",
"http.response.body.content": "navbar_r3_c6.jpg",

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this doesn't look right, the content field would be the raw bytes of the jpeg in this case, so not something we'd fill in since it's binary data

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is the field webpage, mapped to http.response.body.content. I don't think any parser is going to capture the full body of a request, so we might as well not map this field to ECS, as there is no field for the document name. Maybe file.name? @webmat WDYT?

Copy link
Contributor

@leehinman leehinman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wow. Amazing work.

"event.code": "https",
"event.dataset": "fortinet.clientendpoint",
"event.module": "fortinet",
"event.original": "March 26 2016/03/26 aqui4726.mail.localhost proto=icmp service=https status=deny src=10.85.66.161 dst=10.131.115.96 src_port=2638 dst_port=1890 server_app=eum pid=654 app_name=rmagni traff_direct=sit block_count=5509 logon_user=onev@tenima1073.local msg=success",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should the ips, ports, proto & service be parsed out? seems odd that it isn't.

"event.dataset": "imperva.securesphere",
"event.module": "imperva",
"event.original": "%IMPERVA-Imperva,dstIP=10.70.155.35,dstPort=892,dbUsername=tatno,srcIP=10.81.122.126,srcPort=4141,creatTime=29 January 2016 06:09:59,srvGroup=uam,service=untutl,appName=rad,event#=taliqu,eventType=Login,usrGroup=ommod,usrAuth=True,application=\"scivel\",osUsername=aqui,srcHost=radipis5408.mail.local,dbName=enatuse,schemaName=magn,bindVar=equuntu,sqlError=failure,respSize=5910,respTime=10.347000,affRows=sum,action=\"cancel\",rawQuery=\"sit\"",
"event.outcome": "Success",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

event.outcome should be lowercase "success"

"observer.product": "Nexpose",
"observer.type": "Vulnerability",
"observer.vendor": "Rapid7",
"rsa.internal.messageid": "[Site:",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this right?, looks off with the [

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There's something off in this parser or the log generator. I will check

"fileset.name": "firewall",
"input.type": "log",
"log.flags": [
"dissect_parsing_error"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is the dissect failing? seems odd we aren't getting src & dst fields out of this.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fixed

"rsa.network.domain": "login.yahoo.com",
"rsa.time.duration_time": 5006,
"rsa.time.event_time": "2006-09-08T04:21:52.000Z",
"rsa.time.event_time_str": "1157689312",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

seems odd that the event_time_str field is populated with a number.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yep, that's how this parser is defined. squid uses UNIX timestamps, which is captured it in event_time_str (raw). That is used to populate event_time and @timestamp.

"url.domain": "www.fas.harvard.edu",
"url.original": "http://www.fas.harvard.edu/~hpcws/nav/navbar_r3_c6.jpg",
"user.name": [
"-"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

very minor. I'm assuming "-" means no user name. can we skip if "-"?

Comment on lines 29 to 33
"rsa.web.alias_host": "https://example.com/illumqui/ventore.html?min=ite#utl",
"rsa.web.fqdn": "https://example.com/illumqui/ventore.html?min=ite#utl",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

seems odd that these fields have full url

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's a bit odd. This parser is capturing the full URL and setting fqdn to that. There's a method to extract the FQDN from an URL, but it's not using it for some reason.

@adriansr
Copy link
Contributor Author

adriansr commented Jul 8, 2020

@leehinman @andrewstucki I think I've addressed all the issues I could. Thanks a lot for your feedback, it's helping to add a lot of improvement.

Copy link
Contributor

@tsg tsg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have reviewed the generated docs and scanned the rest. 👍

"10.232.59.7"
],
"rsa.internal.messageid": "ntpdate",
"rsa.time.duration_str": "tur",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Might be a problem with the original parsers. I think "tur" is the timezone, not a duration.

This is caused by the log generator not being able to add valid
timestamps to the logs.
This adds the following experimental filesets based on Apache 2 license
device parsers:

- tomcat.log
- netscout.sightline
- barracuda.waf
- f5.bigipapm
- bluecoat.director
- cisco.nexus
- citrix.virtualapps
- cylance.protect
- f5.firepass
- fortinet.clientendpoint
- imperva.securesphere
- infoblox.nios
- juniper.junos
- kaspersky.av
- microsoft.dhcp
- tenable.nessus_security
- rapid7.nexpose
- radware.defensepro
- sonicwall.firewall
- squid.log
- zscaler.zia
Some pipelines were failing due to trailing space at the end of messages
(which the original XML format ignores). Updated the generator to strip
those spaces.
@adriansr adriansr merged commit 6d0dc62 into elastic:master Jul 14, 2020
@adriansr
Copy link
Contributor Author

Merged using admin privileges due to CI flakiness. All tests passing in my computer.

v1v added a commit to v1v/beats that referenced this pull request Jul 14, 2020
* upstream/master: (25 commits)
  [Elastic Agent] Send checkin payload to Fleet (elastic#19857)
  [Ingest Manager] Fixed tests across agent elastic#19877
  [Ingest Manager] Fix serialization test  elastic#19876
  Fix service start type mapping in windows/service metricset (elastic#19551)
  ci: Change comment trigger detection method (elastic#19827)
  Add 21 autogenerated filesets from rsa2elk devices (elastic#19713)
  [Ingest Manager] Agent config cleanup (elastic#19848)
  libbeat/publisher/pipeline: fix data races (elastic#19821)
  Update monitoring-internal-collection.asciidoc (elastic#19422) (elastic#19697)
  [Elastic Agent] Trust exchange endpoint must bind to 127.0.0.1 (elastic#19861)
  Specify an ECS version in Auditbeat/Packetbeat/Winlogbeat (elastic#19159)
  Add azure billing metricset (elastic#19207)
  Add support for appinsights in the metricbeat azure module (elastic#18940)
  Add MySQL query metricset with lightweight module and SQL helper (elastic#18955)
  [Ingest Manager] Refuse invalid stream values in configuration (elastic#19587)
  Do not use vendor during integration tests (elastic#19839)
  LIBBEAT: Enhancement Convert dissected values from String to other basic data types and IP (elastic#18683)
  [Elastic Agent] Remove support for "logs" and only support logfile (elastic#19761)
  [CI] support windows-2012 (elastic#19773)
  Do not update go.mod during packaging and testing (elastic#19823)
  ...
adriansr added a commit to adriansr/beats that referenced this pull request Jul 14, 2020
This adds the following experimental filesets based on Apache 2 license
device parsers:

- tomcat.log
- netscout.sightline
- barracuda.waf
- f5.bigipapm
- bluecoat.director
- cisco.nexus
- citrix.virtualapps
- cylance.protect
- f5.firepass
- fortinet.clientendpoint
- imperva.securesphere
- infoblox.nios
- juniper.junos
- kaspersky.av
- microsoft.dhcp
- tenable.nessus_security
- rapid7.nexpose
- radware.defensepro
- sonicwall.firewall
- squid.log
- zscaler.zia

(cherry picked from commit 6d0dc62)
adriansr added a commit that referenced this pull request Jul 14, 2020
This adds the following experimental filesets based on Apache 2 license
device parsers:

- tomcat.log
- netscout.sightline
- barracuda.waf
- f5.bigipapm
- bluecoat.director
- cisco.nexus
- citrix.virtualapps
- cylance.protect
- f5.firepass
- fortinet.clientendpoint
- imperva.securesphere
- infoblox.nios
- juniper.junos
- kaspersky.av
- microsoft.dhcp
- tenable.nessus_security
- rapid7.nexpose
- radware.defensepro
- sonicwall.firewall
- squid.log
- zscaler.zia

(cherry picked from commit 6d0dc62)
andrewkroh added a commit to andrewkroh/beats that referenced this pull request Jul 22, 2020
When the fields.yml file is constructed it is done by appending files together and adding some indenting.
In the case of Filebeat, a fileset's fields.yml is appended with an indent of 8 spaces to the module's fields.yml.
This generally allows for all of the filesets fields to become children of the module.

The problem we had was that the new filesets added in elastic#19713 expected that their fields would be root fields
(not children to the module namespace). In cases where the module already existed and had declared
a module namespace field in its fields.yml this resulted in unexpectedly namespaced fieldset fields
(e.g. microsoft.rsa.* instead of rsa.*).

The size of the x-pack/filebeat index-pattern is still large (915885 bytes), but not so large that it goes beyond the Kibana
request payload limit.

Fixes elastic#19965
andrewkroh added a commit that referenced this pull request Jul 23, 2020
When the fields.yml file is constructed it is done by appending files together and adding some indenting.
In the case of Filebeat, a fileset's fields.yml is appended with an indent of 8 spaces to the module's fields.yml.
This generally allows for all of the filesets fields to become children of the module.

The problem we had was that the new filesets added in #19713 expected that their fields would be root fields
(not children to the module namespace). In cases where the module already existed and had declared
a module namespace field in its fields.yml this resulted in unexpectedly namespaced fieldset fields
(e.g. microsoft.rsa.* instead of rsa.*).

The size of the x-pack/filebeat index-pattern is still large (915885 bytes), but not so large that it goes beyond the Kibana
request payload limit.

Fixes #19965
andrewkroh added a commit to andrewkroh/beats that referenced this pull request Jul 23, 2020
When the fields.yml file is constructed it is done by appending files together and adding some indenting.
In the case of Filebeat, a fileset's fields.yml is appended with an indent of 8 spaces to the module's fields.yml.
This generally allows for all of the filesets fields to become children of the module.

The problem we had was that the new filesets added in elastic#19713 expected that their fields would be root fields
(not children to the module namespace). In cases where the module already existed and had declared
a module namespace field in its fields.yml this resulted in unexpectedly namespaced fieldset fields
(e.g. microsoft.rsa.* instead of rsa.*).

The size of the x-pack/filebeat index-pattern is still large (915885 bytes), but not so large that it goes beyond the Kibana
request payload limit.

Fixes elastic#19965

(cherry picked from commit ea7c05f)
andrewkroh added a commit to andrewkroh/beats that referenced this pull request Jul 23, 2020
When the fields.yml file is constructed it is done by appending files together and adding some indenting.
In the case of Filebeat, a fileset's fields.yml is appended with an indent of 8 spaces to the module's fields.yml.
This generally allows for all of the filesets fields to become children of the module.

The problem we had was that the new filesets added in elastic#19713 expected that their fields would be root fields
(not children to the module namespace). In cases where the module already existed and had declared
a module namespace field in its fields.yml this resulted in unexpectedly namespaced fieldset fields
(e.g. microsoft.rsa.* instead of rsa.*).

The size of the x-pack/filebeat index-pattern is still large (915885 bytes), but not so large that it goes beyond the Kibana
request payload limit.

Fixes elastic#19965

(cherry picked from commit ea7c05f)
andrewkroh added a commit that referenced this pull request Jul 23, 2020
When the fields.yml file is constructed it is done by appending files together and adding some indenting.
In the case of Filebeat, a fileset's fields.yml is appended with an indent of 8 spaces to the module's fields.yml.
This generally allows for all of the filesets fields to become children of the module.

The problem we had was that the new filesets added in #19713 expected that their fields would be root fields
(not children to the module namespace). In cases where the module already existed and had declared
a module namespace field in its fields.yml this resulted in unexpectedly namespaced fieldset fields
(e.g. microsoft.rsa.* instead of rsa.*).

The size of the x-pack/filebeat index-pattern is still large (915885 bytes), but not so large that it goes beyond the Kibana
request payload limit.

Fixes #19965

(cherry picked from commit ea7c05f)
andrewkroh added a commit that referenced this pull request Jul 23, 2020
When the fields.yml file is constructed it is done by appending files together and adding some indenting.
In the case of Filebeat, a fileset's fields.yml is appended with an indent of 8 spaces to the module's fields.yml.
This generally allows for all of the filesets fields to become children of the module.

The problem we had was that the new filesets added in #19713 expected that their fields would be root fields
(not children to the module namespace). In cases where the module already existed and had declared
a module namespace field in its fields.yml this resulted in unexpectedly namespaced fieldset fields
(e.g. microsoft.rsa.* instead of rsa.*).

The size of the x-pack/filebeat index-pattern is still large (915885 bytes), but not so large that it goes beyond the Kibana
request payload limit.

Fixes #19965

(cherry picked from commit ea7c05f)
melchiormoulin pushed a commit to melchiormoulin/beats that referenced this pull request Oct 14, 2020
This adds the following experimental filesets based on Apache 2 license
device parsers:

- tomcat.log
- netscout.sightline
- barracuda.waf
- f5.bigipapm
- bluecoat.director
- cisco.nexus
- citrix.virtualapps
- cylance.protect
- f5.firepass
- fortinet.clientendpoint
- imperva.securesphere
- infoblox.nios
- juniper.junos
- kaspersky.av
- microsoft.dhcp
- tenable.nessus_security
- rapid7.nexpose
- radware.defensepro
- sonicwall.firewall
- squid.log
- zscaler.zia
melchiormoulin pushed a commit to melchiormoulin/beats that referenced this pull request Oct 14, 2020
When the fields.yml file is constructed it is done by appending files together and adding some indenting.
In the case of Filebeat, a fileset's fields.yml is appended with an indent of 8 spaces to the module's fields.yml.
This generally allows for all of the filesets fields to become children of the module.

The problem we had was that the new filesets added in elastic#19713 expected that their fields would be root fields
(not children to the module namespace). In cases where the module already existed and had declared
a module namespace field in its fields.yml this resulted in unexpectedly namespaced fieldset fields
(e.g. microsoft.rsa.* instead of rsa.*).

The size of the x-pack/filebeat index-pattern is still large (915885 bytes), but not so large that it goes beyond the Kibana
request payload limit.

Fixes elastic#19965
leweafan pushed a commit to leweafan/beats that referenced this pull request Apr 28, 2023
When the fields.yml file is constructed it is done by appending files together and adding some indenting.
In the case of Filebeat, a fileset's fields.yml is appended with an indent of 8 spaces to the module's fields.yml.
This generally allows for all of the filesets fields to become children of the module.

The problem we had was that the new filesets added in elastic#19713 expected that their fields would be root fields
(not children to the module namespace). In cases where the module already existed and had declared
a module namespace field in its fields.yml this resulted in unexpectedly namespaced fieldset fields
(e.g. microsoft.rsa.* instead of rsa.*).

The size of the x-pack/filebeat index-pattern is still large (915885 bytes), but not so large that it goes beyond the Kibana
request payload limit.

Fixes elastic#19965

(cherry picked from commit 84a227a)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants