New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cherry-pick #19962 to 7.9: [Filebeat] Fix s3 input parsing json file without expand_event_list_from_field #20135

Merged

kaiyan-sheng merged 2 commits into elastic:7.9 from kaiyan-sheng:backport_19962_7.9

Jul 22, 2020

Contributor

kaiyan-sheng commented Jul 22, 2020 •

edited by zube bot

Loading

Cherry-pick of PR #19962 to 7.9 branch. Original message:

What does this PR do?

This PR is to fix s3 input when parsing json files without expand_event_list_from_field config parameter.
During testing I found offset is not working properly for s3 input events, this PR also fix it.

Why is it important?

For some logs, such as Cloudflare, json looks like:

{"id": "0001", "hey": "there", "how": {"are": "you"}}
{"id": "0002", "hope": "you", "are": {"doing": "well"}}
{"id": "0003", "I": "am", "doing": {"O": "K"}}

instead of with a head field like:

{
  "Records": [
    {
      "eventVersion": "1.05",
      "userIdentity": {
        "type": "AssumedRole",
        "principalId": "AROAJ3UFBPIHDEKKCOI2G:AssumeRoleSession",
        "arn": "arn:aws:sts::123456789012:assumed-role/CloudHealth/AssumeRoleSession",
        "accountId": "123456789012"
      }
]

Checklist

My code follows the style guidelines of this project
I have commented my code, particularly in hard-to-understand areas
I have made corresponding changes to the documentation
I have made corresponding change to the default configuration files
I have added tests that prove my fix is effective or that my feature works
I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

How to test this PR locally

Create a test log file:

$ cat s3filebeat.log 
{"id": "0001", "hey": "there", "how": {"are": "you"}}
{"id": "0002", "hope": "you", "are": {"doing": "well"}}
{"id": "0003", "I": "am", "doing": {"O": "K"}}

Gzip the log file:

gzip s3filebeat.log

Upload the file to S3 bucket and add property:

$ aws --profile PROFILE s3api put-object --body ./s3filebeat.log.gz --bucket lucas-test-filebeat-s3 --content-encoding gzip --content-type application/json --key s3filebeat.log.gz
{
    "ETag": "\"955ed9f01b6ee38dbba167daab9ebbbb\""
}

or manually upload this file to s3 bucket and change the property there.

Change filebeat input to s3 in filebeat.yml

filebeat.inputs:
- type: s3
  queue_url: https://sqs.us-east-1.amazonaws.com/428152502467/test-fb-ks
  credential_profile_name: elastic-beats

Run ./filebeat -e

Related issues

Closes Filebeat S3 input plugin cannot parse jsonl file with content-type set as application/json #19902


          [Filebeat] Fix s3 input parsing json file without expand_event_list_f…

d891456

…rom_field (#19962)

* Fix s3 input parsing json file without expand_event_list_from_field

(cherry picked from commit 2bf84dd)

kaiyan-sheng added [zube]: In Review backport Team:Platforms labels

botelastic bot added the needs_team label

Collaborator

elasticmachine commented Jul 22, 2020

Pinging @elastic/integrations-platforms (Team:Platforms)

botelastic bot removed the needs_team label

botelastic bot commented Jul 22, 2020

This pull request doesn't have a Team:<team> label.

kaiyan-sheng self-assigned this


          update changelog

ChrsMark approved these changes

View reviewed changes

Collaborator

elasticmachine commented Jul 22, 2020 •

edited by jenkins-beats-ci bot

Loading

💔 Tests Failed

Expand to view the summary

Build stats

Build Cause: [Pull request #20135 updated]
Start Time: 2020-07-22T13:25:17.269+0000
Duration: 57 min 10 sec

Test stats 🧪

Test	Results
Failed	10
Passed	2454
Skipped	385
Total	2849

Test errors

Expand to view the tests failures

Name: Build and Test / Filebeat x-pack / test_fileset_file_056_o365 – test_xpack_modules.XPackTest
- Age: 2
- Duration: 3.697
- Error Details: The following expected object doesn't match:
  Diff:
  {'values_changed': {"root['user_agent.device.name']": {'new_value': 'Mac', 'old_value': 'Other'}}}, full object:
  {'log.offset': 0, 'source.geo.continent_name': 'Europe', 'source.geo.region_iso_code': 'ES-B', 'source.geo.city_name': 'Barcelona', 'source.geo.country_iso_code': 'ES', 'source.geo.region_name': 'Barcelona', 'source.geo.location.lon': 2.1611, 'source.geo.location.lat': 41.3891, 'source.as.number': 3352, 'source.as.organization.name': 'Telefonica De Espana', 'source.ip': '213.97.47.133', 'network.type': 'ipv4', 'o365.audit.Site': 'd5180cfc-3479-44d6-b410-8c985ac894e3', 'o365.audit.ObjectId': 'https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot 2020-01-27 at 11.30.48.png', 'o365.audit.SourceFileName': 'Screenshot 2020-01-27 at 11.30.48.png', 'o365.audit.ItemType': 'File', 'o365.audit.UserKey': 'i:0h.f|membership|1003200096971f55@live.com', 'o365.audit.OrganizationId': 'b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd', 'o365.audit.Operation': 'FileDeleted', 'o365.audit.SiteUrl': 'https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/', 'o365.audit.SourceFileExtension': 'png', 'o365.audit.ClientIP': '213.97.47.133', 'o365.audit.Workload': 'OneDrive', 'o365.audit.SourceRelativeUrl': 'Documents', 'o365.audit.EventSource': 'SharePoint', 'o365.audit.ListId': '2b6ad2bd-0fd7-4556-9c89-a97847085b85', 'o365.audit.RecordType': 6, 'o365.audit.Version': 1, 'o365.audit.WebId': '8c5c94bb-8396-470c-87d7-8999f440cd30', 'o365.audit.UserId': 'asr@testsiem.onmicrosoft.com', 'o365.audit.CreationTime': '2020-02-07T16:44:07', 'o365.audit.UserAgent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0', 'o365.audit.Id': 'ec04aa09-0a43-4879-cdc8-08d7abecf327', 'o365.audit.CorrelationId': '652b339f-908c-a000-f25f-91423da7dd9b', 'o365.audit.ListItemUniqueId': '4803608a-df7d-4f63-aa73-67aa33bb576e', 'o365.audit.UserType': 0, 'file.extension': 'png', 'file.name': 'Screenshot 2020-01-27 at 11.30.48.png', 'file.directory': 'Documents', 'related.ip': '213.97.47.133', 'related.user': 'asr', 'host.name': 'testsiem.onmicrosoft.com', 'host.id': 'b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd', 'client.address': '213.97.47.133', 'client.ip': '213.97.47.133', 'event.code': 'SharePointFileOperation', 'event.provider': 'OneDrive', 'event.kind': 'event', 'event.module': 'o365', 'event.action': 'FileDeleted', 'event.id': 'ec04aa09-0a43-4879-cdc8-08d7abecf327', 'event.type': 'deletion', 'event.category': 'file', 'event.dataset': 'o365.audit', 'event.outcome': 'success', 'user_agent.original': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0', 'user_agent.os.name': 'Mac OS X', 'user_agent.os.version': '10.14', 'user_agent.os.full': 'Mac OS X 10.14', 'user_agent.name': 'Firefox', 'user_agent.device.name': 'Mac', 'user_agent.version': '72.0.', 'fileset.name': 'audit', 'url.original': 'https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot 2020-01-27 at 11.30.48.png', 'tags': ['forwarded'], 'input.type': 'log', '@timestamp': '2020-02-07T16:44:07.000Z', 'service.type': 'o365', 'organization.id': 'b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd', 'user.domain': 'testsiem.onmicrosoft.com', 'user.name': 'asr', 'user.id': 'asr@testsiem.onmicrosoft.com'}
  -------------------- >> begin captured stdout << ---------------------
  Using elasticsearch: http://elasticsearch:9200
  Testing o365/audit on /go/src/github.com/elastic/beats/x-pack/filebeat/module/o365/audit/test/06-sharepointfileop.log

--------------------- >> end captured stdout << ----------------------

Name: Build and Test / Filebeat x-pack / test_fileset_file_060_o365 – test_xpack_modules.XPackTest
- Age: 2
- Duration: 3.141
- Error Details: The following expected object doesn't match:
  Diff:
  {'values_changed': {"root['user_agent.device.name']": {'new_value': 'Mac', 'old_value': 'Other'}}}, full object:
  {'log.offset': 0, 'source.geo.continent_name': 'Europe', 'source.geo.region_iso_code': 'ES-B', 'source.geo.city_name': 'Barcelona', 'source.geo.country_iso_code': 'ES', 'source.geo.region_name': 'Barcelona', 'source.geo.location.lon': 2.1611, 'source.geo.location.lat': 41.3891, 'source.as.number': 3352, 'source.as.organization.name': 'Telefonica De Espana', 'source.ip': '213.97.47.133', 'fileset.name': 'audit', 'network.type': 'ipv4', 'tags': ['forwarded'], 'o365.audit.Site': 'd5180cfc-3479-44d6-b410-8c985ac894e3', 'o365.audit.ObjectId': 'https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/_layouts/15/onedrive.aspx', 'o365.audit.UserKey': 'i:0h.f|membership|1003200096971f55@live.com', 'o365.audit.ItemType': 'Page', 'o365.audit.OrganizationId': 'b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd', 'o365.audit.Operation': 'PageViewed', 'o365.audit.ClientIP': '213.97.47.133', 'o365.audit.Workload': 'OneDrive', 'o365.audit.EventSource': 'SharePoint', 'o365.audit.RecordType': 4, 'o365.audit.Version': 1, 'o365.audit.WebId': '8c5c94bb-8396-470c-87d7-8999f440cd30', 'o365.audit.UserId': 'asr@testsiem.onmicrosoft.com', 'o365.audit.UserAgent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0', 'o365.audit.CreationTime': '2020-02-07T16:43:53', 'o365.audit.CustomUniqueId': True, 'o365.audit.CorrelationId': '622b339f-4000-a000-f25f-92b3478c7a25', 'o365.audit.Id': '99d005e6-a4c6-46fd-117c-08d7abeceab5', 'o365.audit.ListItemUniqueId': '59a8433d-9bb8-cfef-6edc-4c0fc8b86875', 'o365.audit.UserType': 0, 'input.type': 'log', '@timestamp': '2020-02-07T16:43:53.000Z', 'related.ip': '213.97.47.133', 'related.user': 'asr', 'service.type': 'o365', 'organization.id': 'b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd', 'host.name': 'testsiem.onmicrosoft.com', 'host.id': 'b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd', 'client.address': '213.97.47.133', 'client.ip': '213.97.47.133', 'event.code': 'SharePoint', 'event.provider': 'OneDrive', 'event.kind': 'event', 'event.module': 'o365', 'event.action': 'PageViewed', 'event.id': '99d005e6-a4c6-46fd-117c-08d7abeceab5', 'event.category': 'web', 'event.type': 'info', 'event.dataset': 'o365.audit', 'event.outcome': 'success', 'user.domain': 'testsiem.onmicrosoft.com', 'user.name': 'asr', 'user.id': 'asr@testsiem.onmicrosoft.com', 'user_agent.original': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0', 'user_agent.os.name': 'Mac OS X', 'user_agent.os.version': '10.14', 'user_agent.os.full': 'Mac OS X 10.14', 'user_agent.name': 'Firefox', 'user_agent.device.name': 'Mac', 'user_agent.version': '72.0.'}
  -------------------- >> begin captured stdout << ---------------------
  Using elasticsearch: http://elasticsearch:9200
  Testing o365/audit on /go/src/github.com/elastic/beats/x-pack/filebeat/module/o365/audit/test/04-sharepoint.log

--------------------- >> end captured stdout << ----------------------

Name: Build and Test / Filebeat x-pack / test_fileset_file_061_o365 – test_xpack_modules.XPackTest
- Age: 2
- Duration: 3.605
- Error Details: The following expected object doesn't match:
  Diff:
  {'values_changed': {"root['user_agent.device.name']": {'new_value': 'Mac', 'old_value': 'Other'}}}, full object:
  {'log.offset': 3965, 'source.geo.continent_name': 'Europe', 'source.geo.region_iso_code': 'ES-B', 'source.geo.city_name': 'Barcelona', 'source.geo.country_iso_code': 'ES', 'source.geo.region_name': 'Barcelona', 'source.geo.location.lon': 2.1611, 'source.geo.location.lat': 41.3891, 'source.as.number': 3352, 'source.as.organization.name': 'Telefonica De Espana', 'source.ip': '79.159.10.151', 'fileset.name': 'audit', 'tags': ['forwarded'], 'network.type': 'ipv4', 'o365.audit.Site': 'd5180cfc-3479-44d6-b410-8c985ac894e3', 'o365.audit.ObjectId': 'https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com//personal/asr_testsiem_onmicrosoft_com/Sharing Links', 'o365.audit.UserKey': 'i:0h.f|membership|1003200096971f55@live.com', 'o365.audit.ItemType': 'List', 'o365.audit.SiteUrl': 'https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com', 'o365.audit.OrganizationId': 'b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd', 'o365.audit.Operation': 'SharingInheritanceBroken', 'o365.audit.ClientIP': '79.159.10.151', 'o365.audit.EventData': 'FalseFalse', 'o365.audit.Workload': 'OneDrive', 'o365.audit.SourceRelativeUrl': 'Sharing Links', 'o365.audit.EventSource': 'SharePoint', 'o365.audit.RecordType': 14, 'o365.audit.ListId': 'b108938d-3546-4359-925d-a1b54b4db8c2', 'o365.audit.Version': 1, 'o365.audit.WebId': '8c5c94bb-8396-470c-87d7-8999f440cd30', 'o365.audit.UserId': 'asr@testsiem.onmicrosoft.com', 'o365.audit.CreationTime': '2020-02-14T18:25:45', 'o365.audit.UserAgent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:73.0) Gecko/20100101 Firefox/73.0', 'o365.audit.CorrelationId': 'fe71359f-005f-9000-7cb1-ccf5124703db', 'o365.audit.Id': 'dd162cd7-5df5-4fef-078a-08d7b17b4e95', 'o365.audit.UserType': 0, 'input.type': 'log', '@timestamp': '2020-02-14T18:25:45.000Z', 'related.ip': '79.159.10.151', 'related.user': 'asr', 'service.type': 'o365', 'organization.id': 'b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd', 'host.name': 'testsiem.onmicrosoft.com', 'host.id': 'b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd', 'client.address': '79.159.10.151', 'client.ip': '79.159.10.151', 'event.code': 'SharePointSharingOperation', 'event.provider': 'OneDrive', 'event.kind': 'event', 'event.module': 'o365', 'event.action': 'SharingInheritanceBroken', 'event.id': 'dd162cd7-5df5-4fef-078a-08d7b17b4e95', 'event.category': 'web', 'event.type': 'info', 'event.dataset': 'o365.audit', 'event.outcome': 'success', 'user.domain': 'testsiem.onmicrosoft.com', 'user.name': 'asr', 'user.id': 'asr@testsiem.onmicrosoft.com', 'user_agent.original': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:73.0) Gecko/20100101 Firefox/73.0', 'user_agent.os.name': 'Mac OS X', 'user_agent.os.version': '10.14', 'user_agent.os.full': 'Mac OS X 10.14', 'user_agent.name': 'Firefox', 'user_agent.device.name': 'Mac', 'user_agent.version': '73.0.'}
  -------------------- >> begin captured stdout << ---------------------
  Using elasticsearch: http://elasticsearch:9200
  Testing o365/audit on /go/src/github.com/elastic/beats/x-pack/filebeat/module/o365/audit/test/14-sp-sharing-op.log

--------------------- >> end captured stdout << ----------------------

Name: Build and Test / Filebeat x-pack / test_fileset_file_062_o365 – test_xpack_modules.XPackTest
- Age: 2
- Duration: 8.806
- Error Details: The following expected object doesn't match:
  Diff:
  {'values_changed': {"root['user_agent.device.name']": {'new_value': 'Mac', 'old_value': 'Other'}}}, full object:
  {'log.offset': 0, 'source.geo.continent_name': 'Europe', 'source.geo.region_iso_code': 'ES-B', 'source.geo.city_name': 'Barcelona', 'source.geo.country_iso_code': 'ES', 'source.geo.region_name': 'Barcelona', 'source.geo.location.lon': 2.1611, 'source.geo.location.lat': 41.3891, 'source.as.number': 3352, 'source.as.organization.name': 'Telefonica De Espana', 'source.ip': '83.57.233.151', 'fileset.name': 'audit', 'tags': ['forwarded'], 'network.type': 'ipv4', 'o365.audit.AzureActiveDirectoryEventType': 1, 'o365.audit.UserKey': '1003200096971F55@testsiem.onmicrosoft.com', 'o365.audit.ActorIpAddress': '83.57.233.151', 'o365.audit.OrganizationId': 'b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd', 'o365.audit.Operation': 'UserLoggedIn', 'o365.audit.ExtendedProperties.ResultStatusDetail': 'Success', 'o365.audit.ExtendedProperties.UserAgent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0', 'o365.audit.ExtendedProperties.KeepMeSignedIn': 'False', 'o365.audit.ExtendedProperties.UserAuthenticationMethod': '9', 'o365.audit.ExtendedProperties.RequestType': 'OAuth2:Authorize', 'o365.audit.IntraSystemId': 'c4206c29-46c2-4a6f-a46b-735107705400', 'o365.audit.Target': [{'Type': 0, 'ID': '00000002-0000-0000-c000-000000000000'}], 'o365.audit.RecordType': 15, 'o365.audit.Version': 1, 'o365.audit.SupportTicketId': '', 'o365.audit.Actor': [{'Type': 0, 'ID': '755e500a-6c03-46b0-b53b-282f23374e3b'}, {'Type': 5, 'ID': 'asr@testsiem.onmicrosoft.com'}, {'Type': 3, 'ID': '1003200096971F55'}], 'o365.audit.ActorContextId': 'b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd', 'o365.audit.ObjectId': '00000002-0000-0000-c000-000000000000', 'o365.audit.ResultStatus': 'Succeeded', 'o365.audit.ClientIP': '83.57.233.151', 'o365.audit.Workload': 'AzureActiveDirectory', 'o365.audit.UserId': 'asr@testsiem.onmicrosoft.com', 'o365.audit.TargetContextId': 'b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd', 'o365.audit.CreationTime': '2020-02-10T15:13:13', 'o365.audit.InterSystemsId': '03616b3a-fc75-46a1-b34a-2d82fc8f1e7e', 'o365.audit.Id': 'ca0efc24-1b89-4962-8fef-a3ac5437302f', 'o365.audit.ApplicationId': '4345a7b9-9a63-4910-a426-35363201d503', 'o365.audit.UserType': 0, 'input.type': 'log', '@timestamp': '2020-02-10T15:13:13.000Z', 'related.ip': '83.57.233.151', 'related.user': 'asr', 'service.type': 'o365', 'organization.id': 'b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd', 'host.name': 'testsiem.onmicrosoft.com', 'host.id': 'b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd', 'client.address': '83.57.233.151', 'client.ip': '83.57.233.151', 'event.code': 'AzureActiveDirectoryStsLogon', 'event.provider': 'AzureActiveDirectory', 'event.kind': 'event', 'event.module': 'o365', 'event.action': 'UserLoggedIn', 'event.id': 'ca0efc24-1b89-4962-8fef-a3ac5437302f', 'event.category': 'authentication', 'event.type': ['start', 'authentication_success'], 'event.dataset': 'o365.audit', 'event.outcome': 'success', 'user.domain': 'testsiem.onmicrosoft.com', 'user.name': 'asr', 'user.id': 'asr@testsiem.onmicrosoft.com', 'user_agent.original': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0', 'user_agent.os.name': 'Mac OS X', 'user_agent.os.version': '10.14', 'user_agent.os.full': 'Mac OS X 10.14', 'user_agent.name': 'Firefox', 'user_agent.device.name': 'Mac', 'user_agent.version': '72.0.'}
  -------------------- >> begin captured stdout << ---------------------
  Using elasticsearch: http://elasticsearch:9200
  Testing o365/audit on /go/src/github.com/elastic/beats/x-pack/filebeat/module/o365/audit/test/15-azuread-sts-logon.log

--------------------- >> end captured stdout << ----------------------

Name: Build and Test / Filebeat x-pack / test_fileset_file_095_cylance – test_xpack_modules.XPackTest
- Age: 2
- Duration: 9.439
- Error Details: The following expected object doesn't match:
  Diff:
  {'values_changed': {"root['@timestamp']": {'new_value': '2020-07-24T10:58:48.000Z', 'old_value': '2019-07-24T10:58:48.000Z'}, "root['rsa.time.event_time']": {'new_value': '2020-07-24T10:58:48.000Z', 'old_value': '2019-07-24T10:58:48.000Z'}}}, full object:
  {'rsa.internal.messageid': 'CylancePROTECT', 'rsa.identity.firstname': 'rinc', 'rsa.identity.lastname': 'tno', 'rsa.investigations.event_cat': 1609000000, 'rsa.investigations.event_cat_name': 'System.Alerts', 'rsa.time.event_time': '2020-07-24T10:58:48.000Z', 'rsa.db.index': 'rExce', 'rsa.misc.device_name': 'ncididu', 'rsa.misc.event_type': 'Alert', 'rsa.misc.mail_id': 'meumf', 'rsa.network.alias_host': ['squ2213.www.test'], 'log.offset': 24048, 'fileset.name': 'protect', 'tags': ['cylance.protect', 'forwarded'], 'input.type': 'log', 'observer.product': 'Protect', 'observer.vendor': 'Cylance', 'observer.type': 'Anti-Virus', '@timestamp': '2020-07-24T10:58:48.000Z', 'service.type': 'cylance', 'host.name': 'squ2213.www.test', 'event.original': '24-Jul-2019 8:58:48 very-high uiacon6640.api.localhost suntexpl <sBonoru 24T08:58:48.everi squ2213.www.test CylancePROTECT Event Name:Alert, Device Message: Device: ncididu; Zones Removed: itati; Zones Added: nostrude, User: rinc tno (meumf), Zone Names:rExce Device Id: quisquam', 'event.code': 'CylancePROTECT', 'event.module': 'cylance', 'event.action': 'Alert', 'event.dataset': 'cylance.protect'}
  -------------------- >> begin captured stdout << ---------------------
  Using elasticsearch: http://elasticsearch:9200
  Testing cylance/protect on /go/src/github.com/elastic/beats/x-pack/filebeat/module/cylance/protect/test/generated.log

--------------------- >> end captured stdout << ----------------------

Name: Build and Test / Filebeat x-pack / test_fileset_file_106_okta – test_xpack_modules.XPackTest
- Age: 2
- Duration: 3.48
- Error Details: The following expected object doesn't match:
  Diff:
  {'values_changed': {"root['user_agent.device.name']": {'new_value': 'Mac', 'old_value': 'Other'}}}, full object:
  {'log.offset': 0, 'source.geo.continent_name': 'North America', 'source.geo.region_iso_code': 'US-CA', 'source.geo.city_name': 'Dublin', 'source.geo.country_iso_code': 'US', 'source.geo.region_name': 'California', 'source.geo.location.lon': -121.919, 'source.geo.location.lat': 37.7201, 'source.as.number': 7018, 'source.as.organization.name': 'AT&T Services, Inc.', 'source.ip': '108.255.197.247', 'source.user.full_name': 'xxxxxx', 'source.user.id': '00u1abvz4pYqdM8ms4x6', 'fileset.name': 'system', 'tags': ['forwarded'], 'input.type': 'log', '@timestamp': '2020-02-14T22:18:51.843Z', 'related.ip': '108.255.197.247', 'related.user': 'xxxxxx', 'service.type': 'okta', 'client.geo.city_name': 'Dublin', 'client.geo.country_name': 'United States', 'client.geo.location.lon': -121.919, 'client.geo.location.lat': 37.7201, 'client.geo.region_name': 'California', 'client.ip': '108.255.197.247', 'client.user.full_name': 'xxxxxx', 'client.user.id': '00u1abvz4pYqdM8ms4x6', 'event.original': '{"actor":{"alternateId":"xxxxxx@elastic.co","detailEntry":null,"displayName":"xxxxxx","id":"00u1abvz4pYqdM8ms4x6","type":"User"},"authenticationContext":{"authenticationProvider":null,"authenticationStep":0,"credentialProvider":null,"credentialType":null,"externalSessionId":"102nZHzd6OHSfGG51vsoc22gw","interface":null,"issuer":null},"client":{"device":"Computer","geographicalContext":{"city":"Dublin","country":"United States","geolocation":{"lat":37.7201,"lon":-121.919},"postalCode":"94568","state":"California"},"id":null,"ipAddress":"108.255.197.247","userAgent":{"browser":"FIREFOX","os":"Mac OS X","rawUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0"},"zone":"null"},"debugContext":{"debugData":{"authnRequestId":"XkcAsWb8WjwDP76xh@1v8wAABp0","requestId":"XkccyyMli2Uay2I93ZgRzQAAB0c","requestUri":"/login/signout","threatSuspected":"false","url":"/login/signout?message=login_page_messages.session_has_expired"}},"displayMessage":"User logout from Okta","eventType":"user.session.end","legacyEventType":"core.user_auth.logout_success","outcome":{"reason":null,"result":"SUCCESS"},"published":"2020-02-14T22:18:51.843Z","request":{"ipChain":[{"geographicalContext":{"city":"Dublin","country":"United States","geolocation":{"lat":37.7201,"lon":-121.919},"postalCode":"94568","state":"California"},"ip":"108.255.197.247","source":null,"version":"V4"}]},"securityContext":{"asNumber":null,"asOrg":null,"domain":null,"isProxy":null,"isp":null},"severity":"INFO","target":null,"transaction":{"detail":{},"id":"XkccyyMli2Uay2I93ZgRzQAAB0c","type":"WEB"},"uuid":"faf7398a-4f77-11ea-97fb-5925e98228bd","version":"0"}', 'event.kind': 'event', 'event.module': 'okta', 'event.action': 'user.session.end', 'event.id': 'faf7398a-4f77-11ea-97fb-5925e98228bd', 'event.type': ['access'], 'event.category': ['authentication'], 'event.dataset': 'okta.system', 'event.outcome': 'success', 'okta.actor.id': '00u1abvz4pYqdM8ms4x6', 'okta.actor.display_name': 'xxxxxx', 'okta.actor.type': 'User', 'okta.actor.alternate_id': 'xxxxxx@elastic.co', 'okta.debug_context.debug_data.threat_suspected': 'false', 'okta.debug_context.debug_data.request_id': 'XkccyyMli2Uay2I93ZgRzQAAB0c', 'okta.debug_context.debug_data.request_uri': '/login/signout', 'okta.debug_context.debug_data.url': '/login/signout?message=login_page_messages.session_has_expired', 'okta.event_type': 'user.session.end', 'okta.authentication_context.authentication_step': 0, 'okta.authentication_context.external_session_id': '102nZHzd6OHSfGG51vsoc22gw', 'okta.display_message': 'User logout from Okta', 'okta.client.zone': 'null', 'okta.client.ip': '108.255.197.247', 'okta.client.device': 'Computer', 'okta.client.user_agent.raw_user_agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0', 'okta.client.user_agent.os': 'Mac OS X', 'okta.client.user_agent.browser': 'FIREFOX', 'okta.uuid': 'faf7398a-4f77-11ea-97fb-5925e98228bd', 'okta.outcome.result': 'SUCCESS', 'okta.transaction.id': 'XkccyyMli2Uay2I93ZgRzQAAB0c', 'okta.transaction.type': 'WEB', 'user_agent.original': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0', 'user_agent.os.name': 'Mac OS X', 'user_agent.os.version': '10.15', 'user_agent.os.full': 'Mac OS X 10.15', 'user_agent.name': 'Firefox', 'user_agent.device.name': 'Mac', 'user_agent.version': '72.0.'}
  -------------------- >> begin captured stdout << ---------------------
  Using elasticsearch: http://elasticsearch:9200
  Testing okta/system on /go/src/github.com/elastic/beats/x-pack/filebeat/module/okta/system/test/okta-system-test.json.log

--------------------- >> end captured stdout << ----------------------

Name: Build and Test / Filebeat x-pack / test_fileset_file_167_zscaler – test_xpack_modules.XPackTest
- Age: 2
- Duration: 9.729
- Error Details: The following expected object doesn't match:
  Diff:
  {'values_changed': {"root['user_agent.device.name']": {'new_value': 'U307AS', 'old_value': 'Generic Smartphone'}}}, full object:
  {'rsa.internal.data': 'amco', 'rsa.internal.messageid': 'ZSCALERNSS_1', 'rsa.web.fqdn': 'orsitame3262.domain', 'rsa.identity.user_dept': 'onev', 'rsa.investigations.ec_subject': 'User', 'rsa.investigations.ec_activity': 'Deny', 'rsa.investigations.ec_theme': 'Communication', 'rsa.investigations.event_vcat': 'uptassi', 'rsa.threat.threat_category': 'tur', 'rsa.time.timezone': 'CT', 'rsa.time.event_time': '2016-02-26T10:15:08.000Z', 'rsa.db.index': 'nsequat', 'rsa.network.alias_host': ['orsitame3262.domain'], 'rsa.misc.filter': 'tconsec', 'rsa.misc.result': 'success', 'rsa.misc.reference_id': 'laboreet', 'rsa.misc.action': ['Blocked', 'giatq'], 'rsa.misc.result_code': 'tia', 'rsa.misc.category': 'llu', 'log.offset': 1742, 'destination.bytes': 1837, 'destination.ip': ['10.204.86.149'], 'source.bytes': 2935, 'source.ip': ['10.254.146.57'], 'network.protocol': 'igmp', 'network.bytes': 6905, 'observer.product': 'Internet', 'observer.vendor': 'Zscaler', 'observer.type': 'Configuration', 'file.type': 'oluptas', 'related.ip': ['10.204.86.149', '10.254.146.57'], 'related.user': ['tenima'], 'host.name': 'orsitame3262.domain', 'event.original': 'amco ZSCALERNSS: time=exe Feb 26 8:15:08 2016^^timezone=CT^^action=Blocked^^reason=success^^hostname=orsitame3262.domain^^protocol=igmp^^serverip=10.204.86.149^^url=https://example.com/taspe/mvolu.gif?atcup=snos#iquaUte^^urlcategory=tconsec^^urlclass=nsequat^^dlpdictionaries=taev^^dlpengine=roidents^^filetype=oluptas^^threatcategory=llu^^threatclass=uptassi^^pagerisk=tamremap^^threatname=tur^^clientpublicIP=aperi^^ClientIP=10.254.146.57^^location=estqui^^refererURL=https://www5.example.net/emaper/ssitasp.html?enimad=rmagni#sit^^useragent=Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=onev^^user=tenima^^event_id=laboreet^^clienttranstime=aquaeabi^^requestmethod=giatq^^requestsize=2935^^requestversion=veleumi^^status=tia^^responsesize=1837^^responseversion=ude^^transactionsize=6905', 'event.code': 'laboreet', 'event.timezone': 'CT', 'event.module': 'zscaler', 'event.action': 'Blocked', 'event.dataset': 'zscaler.zia', 'user_agent.original': 'Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36', 'user_agent.os.name': 'Android', 'user_agent.os.version': '9', 'user_agent.os.full': 'Android 9', 'user_agent.name': 'Chrome Mobile', 'user_agent.device.name': 'U307AS', 'user_agent.version': '83.0.4103.83', 'fileset.name': 'zia', 'url.original': 'https://example.com/taspe/mvolu.gif?atcup=snos#iquaUte', 'tags': ['zscaler.zia', 'forwarded'], 'input.type': 'log', '@timestamp': '2016-02-26T10:15:08.000Z', 'service.type': 'zscaler', 'http.request.referrer': 'https://www5.example.net/emaper/ssitasp.html?enimad=rmagni#sit', 'user.name': 'tenima'}
  -------------------- >> begin captured stdout << ---------------------
  Using elasticsearch: http://elasticsearch:9200
  Testing zscaler/zia on /go/src/github.com/elastic/beats/x-pack/filebeat/module/zscaler/zia/test/generated.log

--------------------- >> end captured stdout << ----------------------

Name: Build and Test / Filebeat x-pack / test_fileset_file_179_suricata – test_xpack_modules.XPackTest
- Age: 2
- Duration: 3.776
- Error Details: The following expected object doesn't match:
  Diff:
  {'values_changed': {"root['user_agent.device.name']": {'new_value': 'Mac', 'old_value': 'Other'}}}, full object:
  {'log.offset': 985, 'destination.address': '192.168.86.28', 'destination.port': 63963, 'destination.ip': '192.168.86.28', 'destination.domain': '192.168.86.28', 'source.address': '192.168.86.85', 'source.port': 56119, 'source.ip': '192.168.86.85', 'fileset.name': 'eve', 'url.path': '/dd.xml', 'url.original': '/dd.xml', 'url.domain': '192.168.86.28', 'tags': ['suricata'], 'network.community_id': '1:gjMiDGtS5SVvdwzjjQdAKGBrDA4=', 'network.protocol': 'http', 'network.transport': 'tcp', 'input.type': 'log', '@timestamp': '2018-07-05T19:43:47.690Z', 'related.ip': ['192.168.86.85', '192.168.86.28'], 'service.type': 'suricata', 'http.request.method': 'GET', 'http.response.status_code': 200, 'http.response.body.bytes': 1155, 'suricata.eve.in_iface': 'en0', 'suricata.eve.event_type': 'http', 'suricata.eve.flow_id': 2115002772430095, 'suricata.eve.http.protocol': 'HTTP/1.1', 'suricata.eve.http.http_content_type': 'text/xml', 'suricata.eve.tx_id': 0, 'event.original': '{"timestamp":"2018-07-05T15:43:47.690014-0400","flow_id":2115002772430095,"in_iface":"en0","event_type":"http","src_ip":"192.168.86.85","src_port":56119,"dest_ip":"192.168.86.28","dest_port":63963,"proto":"TCP","tx_id":0,"http":{"hostname":"192.168.86.28","url":"\/dd.xml","http_user_agent":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/67.0.3396.99 Safari\/537.36","http_content_type":"text\/xml","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1155}}', 'event.kind': 'event', 'event.module': 'suricata', 'event.category': ['network', 'web'], 'event.type': ['access', 'protocol'], 'event.dataset': 'suricata.eve', 'event.outcome': 'success', 'user_agent.original': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36', 'user_agent.os.name': 'Mac OS X', 'user_agent.os.version': '10.13.5', 'user_agent.os.full': 'Mac OS X 10.13.5', 'user_agent.name': 'Chrome', 'user_agent.device.name': 'Mac', 'user_agent.version': '67.0.3396.99'}
  -------------------- >> begin captured stdout << ---------------------
  Using elasticsearch: http://elasticsearch:9200
  Testing suricata/eve on /go/src/github.com/elastic/beats/x-pack/filebeat/module/suricata/eve/test/eve-small.log

--------------------- >> end captured stdout << ----------------------

Name: Build and Test / Filebeat x-pack / test_fileset_file_188_googlecloud – test_xpack_modules.XPackTest
- Age: 2
- Duration: 3.837
- Error Details: The following expected object doesn't match:
  Diff:
  {'values_changed': {"root['user_agent.device.name']": {'new_value': 'Mac', 'old_value': 'Other'}}}, full object:
  {'log.offset': 945, 'log.logger': 'projects/elastic-beats/logs/cloudaudit.googleapis.com%2Fdata_access', 'source.ip': '192.168.1.1', 'fileset.name': 'audit', 'tags': ['forwarded'], 'cloud.project.id': 'elastic-beats', 'input.type': 'log', '@timestamp': '2019-12-19T00:45:51.228Z', 'service.name': 'compute.googleapis.com', 'service.type': 'googlecloud', 'event.kind': 'event', 'event.module': 'googlecloud', 'event.action': 'beta.compute.machineTypes.aggregatedList', 'event.id': '-h6onuze1h7dg', 'event.dataset': 'googlecloud.audit', 'event.outcome': 'failure', 'googlecloud.audit.request.proto_name': 'type.googleapis.com/compute.machineTypes.aggregatedList', 'googlecloud.audit.authentication_info.principal_email': 'xxx@xxx.xxx', 'googlecloud.audit.method_name': 'beta.compute.machineTypes.aggregatedList', 'googlecloud.audit.request_metadata.caller_ip': '192.168.1.1', 'googlecloud.audit.request_metadata.caller_supplied_user_agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:71.0) Gecko/20100101 Firefox/71.0,gzip(gfe),gzip(gfe)', 'googlecloud.audit.service_name': 'compute.googleapis.com', 'googlecloud.audit.num_response_items': 71, 'googlecloud.audit.type': 'type.googleapis.com/google.cloud.audit.AuditLog', 'googlecloud.audit.authorization_info': [{'permission': 'compute.machineTypes.list', 'resource_attributes': {'service': 'resourcemanager', 'name': 'projects/elastic-beats', 'type': 'resourcemanager.projects'}, 'granted': False}], 'googlecloud.audit.resource_name': 'projects/elastic-beats/global/machineTypes', 'googlecloud.audit.resource_location.current_locations': ['global'], 'user.email': 'xxx@xxx.xxx', 'user_agent.original': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:71.0) Gecko/20100101 Firefox/71.0,gzip(gfe),gzip(gfe)', 'user_agent.os.name': 'Mac OS X', 'user_agent.os.version': '10.15', 'user_agent.os.full': 'Mac OS X 10.15', 'user_agent.name': 'Firefox', 'user_agent.device.name': 'Mac', 'user_agent.version': '71.0.'}
  -------------------- >> begin captured stdout << ---------------------
  Using elasticsearch: http://elasticsearch:9200
  Testing googlecloud/audit on /go/src/github.com/elastic/beats/x-pack/filebeat/module/googlecloud/audit/test/audit-log-entries.json.log

--------------------- >> end captured stdout << ----------------------

Name: Build and Test / Filebeat x-pack / test_fileset_file_207_tomcat – test_xpack_modules.XPackTest
- Age: 2
- Duration: 9.452
- Error Details: The following expected object doesn't match:
  Diff:
  {'values_changed': {"root['user_agent.device.name']": {'new_value': 'G8142', 'old_value': 'Generic Smartphone'}}}, full object:
  {'rsa.internal.level': 1516, 'rsa.internal.messageid': 'asdf', 'rsa.web.web_ref_domain': 'mail.example.net', 'rsa.web.alias_host': 'https://example.com/illumqui/ventore.html?min=ite#utl', 'rsa.web.fqdn': 'https://example.com/illumqui/ventore.html?min=ite#utl', 'rsa.web.web_cookie': 'aliqu', 'rsa.time.timezone': 'OMST', 'rsa.time.event_time': '2016-01-29T08:09:59.000Z', 'rsa.network.network_service': 'oremi', 'rsa.misc.action': ['exercita'], 'rsa.misc.result_code': 'ntsunti', 'log.offset': 0, 'source.bytes': 5293, 'source.ip': ['10.251.224.219'], 'fileset.name': 'log', 'url.query': 'amremap', 'url.domain': 'example.com', 'tags': ['tomcat.log', 'forwarded'], 'input.type': 'log', 'observer.product': 'TomCat', 'observer.vendor': 'Apache', 'observer.type': 'Web', '@timestamp': '2016-01-29T08:09:59.000Z', 'file.name': 'vol', 'related.ip': ['10.251.224.219'], 'related.user': ['rci'], 'service.type': 'tomcat', 'http.request.referrer': 'https://mail.example.net/turadipi/aeca.htm?ntium=psaq#cer', 'event.code': 'asdf', 'event.original': '%APACHETOMCAT-1516-asdf: 10.251.224.219||eacommod||rci||[29/Jan/2016:6:09:59 OMST]||exercita||https://example.com/illumqui/ventore.html?min=ite#utl||vol||amremap||oremi||ntsunti||5293||https://mail.example.net/turadipi/aeca.htm?ntium=psaq#cer||Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||aliqu', 'event.timezone': 'OMST', 'event.module': 'tomcat', 'event.dataset': 'tomcat.log', 'user.name': 'rci', 'user_agent.original': 'Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36', 'user_agent.os.name': 'Android', 'user_agent.os.version': '9', 'user_agent.os.full': 'Android 9', 'user_agent.name': 'Chrome Mobile', 'user_agent.device.name': 'G8142', 'user_agent.version': '83.0.4103.83'}
  -------------------- >> begin captured stdout << ---------------------
  Using elasticsearch: http://elasticsearch:9200
  Testing tomcat/log on /go/src/github.com/elastic/beats/x-pack/filebeat/module/tomcat/log/test/generated.log

--------------------- >> end captured stdout << ----------------------

Steps errors

Expand to view the steps failures

Name: Mage update build test
- Description: mage update build test
- Duration: 31 min 12 sec
- Start Time: 2020-07-22T13:49:48.428+0000
- log
Name: Report to Codecov
- Description: .ci/scripts/report-codecov.sh auditbeat filebeat heartbeat journalbeat libbeat metricbeat packetbeat winlogbeat
- Duration: 1 min 27 sec
- Start Time: 2020-07-22T14:12:08.828+0000
- log

Log output

Expand to view the last 100 lines of log output

[2020-07-22T14:21:02.564Z] c1e54eec4b57: Download complete
[2020-07-22T14:21:02.564Z] c1e54eec4b57: Pull complete
[2020-07-22T14:21:02.564Z] Digest: sha256:b733d4a32c4da6a00a84df2ca32791bb03df95400243648d8c539e7b4cce329c
[2020-07-22T14:21:02.823Z] Status: Downloaded newer image for alpine:3.4
[2020-07-22T14:21:29.882Z] + python .ci/scripts/pre_archive_test.py
[2020-07-22T14:21:31.259Z] Copy ./x-pack/filebeat/build into build/x-pack/filebeat/build
[2020-07-22T14:21:31.268Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-20135/src/github.com/elastic/beats/build
[2020-07-22T14:21:31.299Z] Recording test results
[2020-07-22T14:21:32.944Z] Stashed 4 file(s)
[2020-07-22T14:21:32.956Z] Archiving artifacts
[2020-07-22T14:21:33.637Z] + python .ci/scripts/search_system_tests.py
[2020-07-22T14:21:33.652Z] [INFO] system-tests='build/x-pack/filebeat/build/system-tests'. If no empty then let's create a tarball
[2020-07-22T14:21:34.009Z] + tar --version
[2020-07-22T14:21:34.321Z] + tar --exclude=x-pack-filebeat--system-tests-linux.tgz -czf x-pack-filebeat--system-tests-linux.tgz build/x-pack/filebeat/build/system-tests
[2020-07-22T14:21:52.442Z] Archiving artifacts
[2020-07-22T14:22:01.079Z] + .ci/scripts/report-codecov.sh auditbeat filebeat heartbeat journalbeat libbeat metricbeat packetbeat winlogbeat
[2020-07-22T14:22:01.079Z] + CODECOV_URL=https://codecov.io/bash
[2020-07-22T14:22:01.079Z] + '[' -e /usr/local/bin/bash_standard_lib.sh ']'
[2020-07-22T14:22:01.079Z] + source /usr/local/bin/bash_standard_lib.sh
[2020-07-22T14:22:01.079Z] ++ readonly CACHE_DIR=/var/lib/jenkins/workspace/Beats_beats_PR-20135/.git-references
[2020-07-22T14:22:01.079Z] ++ CACHE_DIR=/var/lib/jenkins/workspace/Beats_beats_PR-20135/.git-references
[2020-07-22T14:22:01.079Z] ++ declare -a cloned_git_repos
[2020-07-22T14:22:01.080Z] + retry 3 curl -sSLo codecov https://codecov.io/bash
[2020-07-22T14:22:01.080Z] + local retries=3
[2020-07-22T14:22:01.080Z] + shift
[2020-07-22T14:22:01.080Z] + local count=0
[2020-07-22T14:22:01.080Z] + curl -sSLo codecov https://codecov.io/bash
[2020-07-22T14:22:01.341Z] + return 0
[2020-07-22T14:22:01.341Z] + for i in '"$@"'
[2020-07-22T14:22:01.341Z] + FILE=auditbeat/build/coverage/full.cov
[2020-07-22T14:22:01.341Z] + '[' -f auditbeat/build/coverage/full.cov ']'
[2020-07-22T14:22:01.341Z] + for i in '"$@"'
[2020-07-22T14:22:01.341Z] + FILE=filebeat/build/coverage/full.cov
[2020-07-22T14:22:01.341Z] + '[' -f filebeat/build/coverage/full.cov ']'
[2020-07-22T14:22:01.341Z] + for i in '"$@"'
[2020-07-22T14:22:01.341Z] + FILE=heartbeat/build/coverage/full.cov
[2020-07-22T14:22:01.341Z] + '[' -f heartbeat/build/coverage/full.cov ']'
[2020-07-22T14:22:01.341Z] + for i in '"$@"'
[2020-07-22T14:22:01.341Z] + FILE=journalbeat/build/coverage/full.cov
[2020-07-22T14:22:01.341Z] + '[' -f journalbeat/build/coverage/full.cov ']'
[2020-07-22T14:22:01.341Z] + for i in '"$@"'
[2020-07-22T14:22:01.341Z] + FILE=libbeat/build/coverage/full.cov
[2020-07-22T14:22:01.341Z] + '[' -f libbeat/build/coverage/full.cov ']'
[2020-07-22T14:22:01.341Z] + for i in '"$@"'
[2020-07-22T14:22:01.341Z] + FILE=metricbeat/build/coverage/full.cov
[2020-07-22T14:22:01.341Z] + '[' -f metricbeat/build/coverage/full.cov ']'
[2020-07-22T14:22:01.341Z] + for i in '"$@"'
[2020-07-22T14:22:01.341Z] + FILE=packetbeat/build/coverage/full.cov
[2020-07-22T14:22:01.341Z] + '[' -f packetbeat/build/coverage/full.cov ']'
[2020-07-22T14:22:01.341Z] + for i in '"$@"'
[2020-07-22T14:22:01.341Z] + FILE=winlogbeat/build/coverage/full.cov
[2020-07-22T14:22:01.341Z] + '[' -f winlogbeat/build/coverage/full.cov ']'
[2020-07-22T14:22:02.834Z] Failed in branch Filebeat x-pack
[2020-07-22T14:22:02.972Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-20135/src/github.com/elastic/beats
[2020-07-22T14:22:03.287Z] + find . -type f -name TEST*.xml -path */build/* -delete
[2020-07-22T14:22:03.299Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-20135/src/github.com/elastic/beats/Lint
[2020-07-22T14:22:03.387Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-20135/src/github.com/elastic/beats/Filebeat-x-pack-Windows
[2020-07-22T14:22:03.466Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-20135/src/github.com/elastic/beats/Filebeat-x-pack-Mac-OS-X
[2020-07-22T14:22:03.545Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-20135/src/github.com/elastic/beats/Filebeat-x-pack
[2020-07-22T14:22:03.928Z] + cat
[2020-07-22T14:22:03.928Z] + /usr/local/bin/runbld ./runbld-script
[2020-07-22T14:22:03.928Z] Picked up JAVA_TOOL_OPTIONS: -Dfile.encoding=UTF8
[2020-07-22T14:22:10.516Z] runbld>>> runbld started
[2020-07-22T14:22:10.516Z] runbld>>> 1.6.12/f45d832f2ba0aa2722ab4ec1fda8ad140f027f8b
[2020-07-22T14:22:12.426Z] runbld>>> The following profiles matched the job 'Beats/beats/PR-20135' in order of occurrence in the config (last value wins).
[2020-07-22T14:22:13.365Z] runbld>>> Debug logging enabled.
[2020-07-22T14:22:13.625Z] runbld>>> Storing result
[2020-07-22T14:22:13.626Z] runbld>>> Store result: created {:total 2, :successful 2, :failed 0} 1
[2020-07-22T14:22:13.626Z] runbld>>> BUILD: https://c150076387b5421f9154dfbf536e5c60.us-west1.gcp.cloud.es.io:9243/build-1587637540455/t/20200722142213-6C101AED
[2020-07-22T14:22:13.626Z] runbld>>> Adding system facts.
[2020-07-22T14:22:14.567Z] runbld>>> Adding vcs info for the latest commit:  0158971c44565a5cae411cb5e19cfb10f072d0ba
[2020-07-22T14:22:14.568Z] runbld>>> >>>>>>>>>>>> SCRIPT EXECUTION BEGIN >>>>>>>>>>>>
[2020-07-22T14:22:14.568Z] runbld>>> Adding /usr/lib/jvm/java-8-openjdk-amd64/bin to the path.
[2020-07-22T14:22:14.568Z] Processing JUnit reports with runbld...
[2020-07-22T14:22:14.568Z] + echo 'Processing JUnit reports with runbld...'
[2020-07-22T14:22:15.140Z] runbld>>> <<<<<<<<<<<< SCRIPT EXECUTION END <<<<<<<<<<<<
[2020-07-22T14:22:15.140Z] runbld>>> DURATION: 28ms
[2020-07-22T14:22:15.140Z] runbld>>> STDOUT: 40 bytes
[2020-07-22T14:22:15.140Z] runbld>>> STDERR: 49 bytes
[2020-07-22T14:22:15.140Z] runbld>>> WRAPPED PROCESS: SUCCESS (0)
[2020-07-22T14:22:15.140Z] runbld>>> Searching for build metadata in /var/lib/jenkins/workspace/Beats_beats_PR-20135/src/github.com/elastic/beats
[2020-07-22T14:22:16.083Z] runbld>>> Storing build metadata: 
[2020-07-22T14:22:16.083Z] runbld>>> Adding test report.
[2020-07-22T14:22:16.083Z] runbld>>> Searching for junit test output files with the pattern: TEST-.*\.xml$ in: /var/lib/jenkins/workspace/Beats_beats_PR-20135/src/github.com/elastic/beats
[2020-07-22T14:22:17.024Z] runbld>>> Found 8 test output files
[2020-07-22T14:22:17.966Z] runbld>>> Test output logs contained: Errors: 0 Failures: 10 Tests: 2849 Skipped: 363
[2020-07-22T14:22:17.966Z] runbld>>> Storing result
[2020-07-22T14:22:17.966Z] runbld>>> FAILURES: 10
[2020-07-22T14:22:20.508Z] runbld>>> Store result: updated {:total 2, :successful 2, :failed 0} 2
[2020-07-22T14:22:20.508Z] runbld>>> BUILD: https://c150076387b5421f9154dfbf536e5c60.us-west1.gcp.cloud.es.io:9243/build-1587637540455/t/20200722142213-6C101AED
[2020-07-22T14:22:20.509Z] runbld>>> Email notification disabled by environment variable.
[2020-07-22T14:22:20.509Z] runbld>>> Slack notification disabled by environment variable.
[2020-07-22T14:22:26.043Z] Running on Jenkins in /var/lib/jenkins/workspace/Beats_beats_PR-20135
[2020-07-22T14:22:26.148Z] [INFO] getVaultSecret: Getting secrets
[2020-07-22T14:22:26.224Z] Masking supported pattern matches of $VAULT_ADDR or $VAULT_ROLE_ID or $VAULT_SECRET_ID
[2020-07-22T14:22:27.549Z] + chmod 755 generate-build-data.sh
[2020-07-22T14:22:27.549Z] + ./generate-build-data.sh https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats/PR-20135/ https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats/PR-20135/runs/2 FAILURE 3430019
[2020-07-22T14:22:27.549Z] INFO: curl https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats/PR-20135/runs/2/steps/?limit=10000 -o steps-info.json
[2020-07-22T14:22:28.099Z] INFO: curl https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats/PR-20135/runs/2/tests/?status=FAILED -o tests-errors.json
[2020-07-22T14:22:28.350Z] INFO: curl https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats/PR-20135/runs/2/log/ -o pipeline-log.txt

Contributor Author

kaiyan-sheng commented Jul 22, 2020

ci failure is not related.

kaiyan-sheng merged commit a7c87c7 into elastic:7.9

kaiyan-sheng deleted the backport_19962_7.9 branch

July 22, 2020 14:24

zube bot added [zube]: Done and removed [zube]: In Review labels

zube bot removed the [zube]: Done label

github-gael-soude commented Sep 22, 2022

Hello @kaiyan-sheng

I would require your help on this topic.
I am using Filebeat 8.4 and when collecting logs from S3 bucket they are never parsed as JSON.
I tried to play with the aws-s3 config but without any success.

Here is a short example of the sample (AWS WAF logs)

{"timestamp":1662771898092,"formatVersion":1,"webaclId":"arn:aws:wafv2:eu-west-1:097958131044:regional/webacl/teads-waf-rules-weak/fe9882ec-3061-4b37-a785-9b26d71269a2","terminatingRuleId":"Default_Action","terminatingRuleType":"REGULAR","action":"ALLOW","terminatingRuleMatchDetails":[],"httpSourceName":"ALB","httpSourceId":"097958131044-app/api-proxy-alb/2b07974f79d93137","httpRequest":{"clientIp":"52.211.173.68","country":"IE","headers":[{"name":"Host","value":"api.teads.tv"},{"name":"Accept-Encoding","value":"gzip, deflate"},{"name":"User-Agent","value":"node-superagent/3.8.3"},{"name":"Connection","value":"close"}],"uri":"/v1/check","args":"","httpVersion":"HTTP/1.1","httpMethod":"GET","requestId":"1-631be2ba-16a11ebe4b16b8f51c271461"}}
{"timestamp":1662771896992,"formatVersion":1,"webaclId":"arn:aws:wafv2:eu-west-1:097958131044:regional/webacl/teads-waf-rules-weak/fe9882ec-3061-4b37-a785-9b26d71269a2","terminatingRuleId":"Default_Action","terminatingRuleType":"REGULAR","action":"ALLOW","terminatingRuleMatchDetails":[],"httpSourceName":"ALB","httpSourceId":"097958131044-app/api-proxy-alb/2b07974f79d93137","httpRequest":{"clientIp":"34.251.181.70","country":"IE","headers":[{"name":"Host","value":"api.teads.tv"},{"name":"Accept-Encoding","value":"gzip, deflate"},{"name":"User-Agent","value":"node-superagent/3.8.3"},{"name":"Connection","value":"close"}],"uri":"/v1/check","args":"","httpVersion":"HTTP/1.1","httpMethod":"GET","requestId":"1-631be2b8-75fb1a275c459a156bac8c32"}}
...

aspacca commented Sep 22, 2022

@github-gael-soude

what is your filebeat config for those files?
probably better to move the question to https://discuss.elastic.co/c/observability/logs/69 were you will find wider audience

leweafan pushed a commit to leweafan/beats that referenced this pull request


          Cherry-pick elastic#19962 to 7.9: [Filebeat] Fix s3 input parsing jso…

238cc4d

…n file without expand_event_list_from_field (elastic#20135)

* [Filebeat] Fix s3 input parsing json file without expand_event_list_from_field (elastic#19962)

* Fix s3 input parsing json file without expand_event_list_from_field

(cherry picked from commit 9cf6b12)

* update changelog

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

backport Team:Platforms