Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cherry-pick #19121 to 7.x: [Filebeat] Add text & flattened fields in aws cloudtrail fileset #19809

Merged
merged 2 commits into from
Jul 13, 2020
Merged

Cherry-pick #19121 to 7.x: [Filebeat] Add text & flattened fields in aws cloudtrail fileset #19809

merged 2 commits into from
Jul 13, 2020

Conversation

leehinman
Copy link
Contributor

@leehinman leehinman commented Jul 9, 2020
edited by zube bot
Loading

Cherry-pick of PR #19121 to 7.x branch. Original message:

What does this PR do?

AWS cloudtrail events have the following fields where the subfields
are highley variable: requestParameters, responseElements,
additionalEventData and serviceEventDetails. This PR adds a text
multi_field to the existing fields and adds a new flattened field.

multi_fields added to following fields:

  • aws.cloudtrail.request_parameters
  • aws.cloudtrail.response_elements
  • aws.cloudtrail.additiona_eventdata
  • aws.cloudtrail.service_event_details

flattened version of the fields are stored here:

  • aws.cloudtrail.flattened.request_parameters
  • aws.cloudtrail.flattened.response_elements
  • aws.cloudtrail.flattened.additiona_eventdata
  • aws.cloudtrail.flattened.service_event_details

Why is it important?

The string representation of the highly variable subfields wasn't
meeting everyones needs. The text multi field and flattened objects
should make searching on these fields much easier.

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
    - [ ] I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works
  • I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

How to test this PR locally

GENERATE=true TESTING_FILEBEAT_MODULES=aws mage -v pythonIntegTest

Related issues

@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Jul 9, 2020
@elasticmachine
Copy link
Collaborator

Pinging @elastic/siem (Team:SIEM)

@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Jul 9, 2020
@leehinman
Add text & flattened fields in aws cloudtrail fileset (elastic#19121)
ae2fae9 
AWS cloudtrail events have the following fields where the subfields
are highley variable: requestParameters, responseElements,
additionalEventData and serviceEventDetails.

multi_fields added to following fields
- aws.cloudtrail.request_parameters
- aws.cloudtrail.response_elements
- aws.cloudtrail.additiona_eventdata
- aws.cloudtrail.service_event_details

flattened version of the fields are stored here:
- aws.cloudtrail.flattened.request_parameters
- aws.cloudtrail.flattened.response_elements
- aws.cloudtrail.flattened.additiona_eventdata
- aws.cloudtrail.flattened.service_event_details

Closes elastic#18866

(cherry picked from commit d16ecc9)
@elasticmachine
Copy link
Collaborator

💔 Build Failed

Pipeline View Test View Changes Artifacts preview

Expand to view the summary

Build stats

  • Build Cause: [Pull request #19809 updated]

  • Start Time: 2020-07-10T13:49:27.949+0000

  • Duration: 124 min 15 sec

Test stats 🧪

Test Results
Failed 0
Passed 8979
Skipped 1562
Total 10541

Steps errors

Expand to view the steps failures

  • Name: Mage build unitTest

    • Description: mage build unitTest

    • Duration: 3 min 58 sec

    • Start Time: 2020-07-10T14:20:51.466+0000

    • log

  • Name: Make -C libbeat testsuite

    • Description: make -C libbeat testsuite

    • Duration: 8 min 25 sec

    • Start Time: 2020-07-10T14:14:48.390+0000

    • log

  • Name: Report to Codecov

    • Description: curl -sSLo codecov https://codecov.io/bash for i in auditbeat filebeat heartbeat libbeat metricbeat packetbeat winlogbeat journalbeat do FILE="${i}/build/coverage/full.cov" if [ -f "${FILE}" ]; then bash codecov -f "${FILE}" fi done

    • Duration: 1 min 27 sec

    • Start Time: 2020-07-10T14:57:46.633+0000

    • log

  • Name: Report to Codecov

    • Description: curl -sSLo codecov https://codecov.io/bash for i in auditbeat filebeat heartbeat libbeat metricbeat packetbeat winlogbeat journalbeat do FILE="${i}/build/coverage/full.cov" if [ -f "${FILE}" ]; then bash codecov -f "${FILE}" fi done

    • Duration: 1 min 27 sec

    • Start Time: 2020-07-10T14:59:13.412+0000

    • log

Log output

Expand to view the last 100 lines of log output 

[2020-07-10T15:53:14.589Z] + [ -f libbeat/build/coverage/full.cov ]
[2020-07-10T15:53:14.589Z] + FILE=metricbeat/build/coverage/full.cov
[2020-07-10T15:53:14.589Z] + [ -f metricbeat/build/coverage/full.cov ]
[2020-07-10T15:53:14.589Z] + FILE=packetbeat/build/coverage/full.cov
[2020-07-10T15:53:14.589Z] + [ -f packetbeat/build/coverage/full.cov ]
[2020-07-10T15:53:14.589Z] + FILE=winlogbeat/build/coverage/full.cov
[2020-07-10T15:53:14.589Z] + [ -f winlogbeat/build/coverage/full.cov ]
[2020-07-10T15:53:14.589Z] + FILE=journalbeat/build/coverage/full.cov
[2020-07-10T15:53:14.589Z] + [ -f journalbeat/build/coverage/full.cov ]
[2020-07-10T15:53:15.388Z] Failed in branch Filebeat oss
[2020-07-10T15:53:15.739Z] Failed in branch Filebeat x-pack
[2020-07-10T15:53:15.870Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-19809/src/github.com/elastic/beats
[2020-07-10T15:53:16.182Z] + find . -type f -name TEST*.xml -path */build/* -delete
[2020-07-10T15:53:16.195Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-19809/src/github.com/elastic/beats/Lint
[2020-07-10T15:53:16.278Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-19809/src/github.com/elastic/beats/Elastic-Agent-Mac-OS-X
[2020-07-10T15:53:16.354Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-19809/src/github.com/elastic/beats/Auditbeat-crosscompile
[2020-07-10T15:53:16.428Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-19809/src/github.com/elastic/beats/Elastic-Agent-x-pack
[2020-07-10T15:53:16.499Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-19809/src/github.com/elastic/beats/Winlogbeat-oss
[2020-07-10T15:53:16.572Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-19809/src/github.com/elastic/beats/Dockerlogbeat
[2020-07-10T15:53:16.644Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-19809/src/github.com/elastic/beats/Metricbeat-x-pack-Mac-OS-X
[2020-07-10T15:53:16.716Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-19809/src/github.com/elastic/beats/Filebeat-x-pack-Mac-OS-X
[2020-07-10T15:53:16.786Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-19809/src/github.com/elastic/beats/Journalbeat-oss
[2020-07-10T15:53:16.858Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-19809/src/github.com/elastic/beats/Filebeat-Mac-OS-X
[2020-07-10T15:53:16.930Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-19809/src/github.com/elastic/beats/Metricbeat-Mac-OS-X
[2020-07-10T15:53:17.001Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-19809/src/github.com/elastic/beats/Generators-Metricbeat-Linux
[2020-07-10T15:53:17.070Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-19809/src/github.com/elastic/beats/Auditbeat-oss-Mac-OS-X
[2020-07-10T15:53:17.144Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-19809/src/github.com/elastic/beats/Functionbeat-x-pack
[2020-07-10T15:53:17.214Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-19809/src/github.com/elastic/beats/Libbeat-oss
[2020-07-10T15:53:17.286Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-19809/src/github.com/elastic/beats/Elastic-Agent-x-pack-Windows
[2020-07-10T15:53:17.357Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-19809/src/github.com/elastic/beats/Metricbeat-OSS-Unit-tests
[2020-07-10T15:53:17.429Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-19809/src/github.com/elastic/beats/Auditbeat-x-pack
[2020-07-10T15:53:17.501Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-19809/src/github.com/elastic/beats/Metricbeat-crosscompile
[2020-07-10T15:53:17.573Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-19809/src/github.com/elastic/beats/Auditbeat-oss-Windows
[2020-07-10T15:53:17.645Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-19809/src/github.com/elastic/beats/Heartbeat-oss
[2020-07-10T15:53:17.719Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-19809/src/github.com/elastic/beats/Auditbeat-x-pack-Windows
[2020-07-10T15:53:17.790Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-19809/src/github.com/elastic/beats/Libbeat-x-pack
[2020-07-10T15:53:17.861Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-19809/src/github.com/elastic/beats/Winlogbeat-Windows-x-pack
[2020-07-10T15:53:17.932Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-19809/src/github.com/elastic/beats/Filebeat-x-pack-Windows
[2020-07-10T15:53:18.004Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-19809/src/github.com/elastic/beats/Heartbeat-Mac-OS-X
[2020-07-10T15:53:18.077Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-19809/src/github.com/elastic/beats/Filebeat-Windows
[2020-07-10T15:53:18.152Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-19809/src/github.com/elastic/beats/Auditbeat-oss-Linux
[2020-07-10T15:53:18.229Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-19809/src/github.com/elastic/beats/Packetbeat-oss
[2020-07-10T15:53:18.311Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-19809/src/github.com/elastic/beats/Auditbeat-x-pack-Mac-OS-X
[2020-07-10T15:53:18.386Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-19809/src/github.com/elastic/beats/Winlogbeat-Windows
[2020-07-10T15:53:18.461Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-19809/src/github.com/elastic/beats/Functionbeat-Mac-OS-X-x-pack
[2020-07-10T15:53:18.539Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-19809/src/github.com/elastic/beats/Metricbeat-Windows
[2020-07-10T15:53:18.613Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-19809/src/github.com/elastic/beats/Metricbeat-x-pack-Windows
[2020-07-10T15:53:18.687Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-19809/src/github.com/elastic/beats/Metricbeat-x-pack
[2020-07-10T15:53:18.759Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-19809/src/github.com/elastic/beats/Generators-Beat-Linux
[2020-07-10T15:53:18.832Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-19809/src/github.com/elastic/beats/Heartbeat-Windows
[2020-07-10T15:53:18.913Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-19809/src/github.com/elastic/beats/Metricbeat-Python-integration-tests
[2020-07-10T15:53:18.985Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-19809/src/github.com/elastic/beats/Functionbeat-Windows
[2020-07-10T15:53:19.066Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-19809/src/github.com/elastic/beats/Generators-Metricbeat-Mac-OS-X
[2020-07-10T15:53:19.140Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-19809/src/github.com/elastic/beats/Generators-Beat-Mac-OS-X
[2020-07-10T15:53:19.215Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-19809/src/github.com/elastic/beats/Metricbeat-OSS-Integration-tests
[2020-07-10T15:53:19.293Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-19809/src/github.com/elastic/beats/Filebeat-oss
[2020-07-10T15:53:19.369Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-19809/src/github.com/elastic/beats/Filebeat-x-pack
[2020-07-10T15:53:19.740Z] + cat
[2020-07-10T15:53:19.740Z] + /usr/local/bin/runbld ./runbld-script
[2020-07-10T15:53:19.740Z] Picked up JAVA_TOOL_OPTIONS: -Dfile.encoding=UTF8
[2020-07-10T15:53:26.358Z] runbld>>> runbld started
[2020-07-10T15:53:26.358Z] runbld>>> 1.6.12/f45d832f2ba0aa2722ab4ec1fda8ad140f027f8b
[2020-07-10T15:53:28.282Z] runbld>>> The following profiles matched the job 'Beats/beats-beats-mbp/PR-19809' in order of occurrence in the config (last value wins).
[2020-07-10T15:53:29.226Z] runbld>>> Debug logging enabled.
[2020-07-10T15:53:29.226Z] runbld>>> Storing result
[2020-07-10T15:53:29.488Z] runbld>>> Store result: created {:total 2, :successful 2, :failed 0} 1
[2020-07-10T15:53:29.488Z] runbld>>> BUILD: https://c150076387b5421f9154dfbf536e5c60.us-west1.gcp.cloud.es.io:9243/build-1587637540455/t/20200710155329-F1DF797A
[2020-07-10T15:53:29.488Z] runbld>>> Adding system facts.
[2020-07-10T15:53:30.438Z] runbld>>> Adding vcs info for the latest commit:  ae2fae9b49ae9ae548cff843d732532f174676dc
[2020-07-10T15:53:30.438Z] runbld>>> >>>>>>>>>>>> SCRIPT EXECUTION BEGIN >>>>>>>>>>>>
[2020-07-10T15:53:30.438Z] runbld>>> Adding /usr/lib/jvm/java-8-openjdk-amd64/bin to the path.
[2020-07-10T15:53:30.438Z] + echo 'Processing JUnit reports with runbld...'
[2020-07-10T15:53:30.438Z] Processing JUnit reports with runbld...
[2020-07-10T15:53:31.011Z] runbld>>> <<<<<<<<<<<< SCRIPT EXECUTION END <<<<<<<<<<<<
[2020-07-10T15:53:31.011Z] runbld>>> DURATION: 38ms
[2020-07-10T15:53:31.011Z] runbld>>> STDOUT: 40 bytes
[2020-07-10T15:53:31.011Z] runbld>>> STDERR: 49 bytes
[2020-07-10T15:53:31.011Z] runbld>>> WRAPPED PROCESS: SUCCESS (0)
[2020-07-10T15:53:31.011Z] runbld>>> Searching for build metadata in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-19809/src/github.com/elastic/beats
[2020-07-10T15:53:31.957Z] runbld>>> Storing build metadata: 
[2020-07-10T15:53:31.957Z] runbld>>> Adding test report.
[2020-07-10T15:53:31.957Z] runbld>>> Searching for junit test output files with the pattern: TEST-.*\.xml$ in: /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-19809/src/github.com/elastic/beats
[2020-07-10T15:53:32.901Z] runbld>>> Found 92 test output files
[2020-07-10T15:53:34.292Z] runbld>>> No testsuite node found in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-19809/src/github.com/elastic/beats/Metricbeat-OSS-Integration-tests/metricbeat/build/TEST-go-integration-graphite.xml
[2020-07-10T15:53:34.554Z] runbld>>> No testsuite node found in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-19809/src/github.com/elastic/beats/Metricbeat-OSS-Integration-tests/metricbeat/build/TEST-go-integration-windows.xml
[2020-07-10T15:53:34.815Z] runbld>>> Test output logs contained: Errors: 0 Failures: 0 Tests: 10395 Skipped: 1338
[2020-07-10T15:53:34.815Z] runbld>>> Storing result
[2020-07-10T15:53:34.815Z] runbld>>> FAILURES: 0
[2020-07-10T15:53:35.075Z] runbld>>> Store result: updated {:total 2, :successful 2, :failed 0} 2
[2020-07-10T15:53:35.075Z] runbld>>> BUILD: https://c150076387b5421f9154dfbf536e5c60.us-west1.gcp.cloud.es.io:9243/build-1587637540455/t/20200710155329-F1DF797A
[2020-07-10T15:53:35.336Z] runbld>>> Email notification disabled by environment variable.
[2020-07-10T15:53:35.336Z] runbld>>> Slack notification disabled by environment variable.
[2020-07-10T15:53:41.418Z] Running on Jenkins in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-19809
[2020-07-10T15:53:41.657Z] [INFO] getVaultSecret: Getting secrets
[2020-07-10T15:53:41.725Z] Masking supported pattern matches of $VAULT_ADDR or $VAULT_ROLE_ID or $VAULT_SECRET_ID
[2020-07-10T15:53:42.735Z] + chmod 755 generate-build-data.sh
[2020-07-10T15:53:42.735Z] + ./generate-build-data.sh https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats-beats-mbp/PR-19809/ https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats-beats-mbp/PR-19809/runs/2 FAILURE 7454519
[2020-07-10T15:53:42.735Z] INFO: curl https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats-beats-mbp/PR-19809/runs/2/steps/?limit=10000 -o steps-info.json
[2020-07-10T15:53:44.597Z] INFO: curl https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats-beats-mbp/PR-19809/runs/2/tests/?status=FAILED -o tests-errors.json
[2020-07-10T15:53:45.148Z] INFO: curl https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats-beats-mbp/PR-19809/runs/2/log/ -o pipeline-log.txt

@leehinman leehinman merged commit b80c7ef into elastic:7.x Jul 13, 2020
@leehinman leehinman deleted the backport_19121_7.x branch October 5, 2020 19:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@andrewkroh andrewkroh andrewkroh approved these changes

Assignees
No one assigned
Labels
backport [zube]: Done
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@leehinman @elasticmachine @andrewkroh