Sync changes to Zeek DNS

Fix usages of ignore_failure with convert processor. Make DNS transaction ID a string. elastic/integrations#448
andrewkroh · Jan 12, 2021 · c80e180 · c80e180
1 parent b65a973
commit c80e180
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 9 deletions.
diff --git a/x-pack/filebeat/module/zeek/dns/config/dns.yml b/x-pack/filebeat/module/zeek/dns/config/dns.yml
@@ -164,7 +164,7 @@ processors:
         }
   - convert:
       ignore_missing: true
-      ignore_failure: true
+      fail_on_error: false
       mode: rename
       fields:
         - {from: zeek.dns.id.orig_h, to: source.address}
@@ -175,16 +175,21 @@ processors:
         - {from: zeek.dns.proto, to: network.transport}
   - convert:
       ignore_missing: true
-      ignore_failure: true
+      fail_on_error: false
       mode: copy
       fields:
         - {from: source.address, to: source.ip, type: ip}
         - {from: destination.address, to: destination.ip, type: ip}
         - {from: zeek.session_id, to: event.id}
-        - {from: zeek.dns.trans_id, to: dns.id}
+        - {from: zeek.dns.trans_id, to: dns.id, type: string}
         - {from: zeek.dns.query, to: dns.question.name}
         - {from: zeek.dns.qtype_name, to: dns.question.type}
         - {from: zeek.dns.rcode_name, to: dns.response_code}
+  - convert:
+      ignore_missing: true
+      fail_on_error: false
+      fields:
+        - {from: zeek.dns.trans_id, type: string}
   - add_fields:
       target: event
       fields:

diff --git a/x-pack/filebeat/module/zeek/dns/test/dns-json.log-expected.json b/x-pack/filebeat/module/zeek/dns/test/dns-json.log-expected.json
@@ -22,7 +22,7 @@
             "RD",
             "RA"
         ],
-        "dns.id": 15209,
+        "dns.id": "15209",
         "dns.question.class": "IN",
         "dns.question.name": "dd625ffb4fc54735b281862aa1cd6cd4.us-west1.gcp.cloud.es.io",
         "dns.question.registered_domain": "es.io",
@@ -88,15 +88,15 @@
         "zeek.dns.rcode_name": "NOERROR",
         "zeek.dns.rejected": false,
         "zeek.dns.rtt": 0.076967,
-        "zeek.dns.trans_id": 15209,
+        "zeek.dns.trans_id": "15209",
         "zeek.session_id": "CAcJw21BbVedgFnYH3"
     },
     {
         "@timestamp": "2019-08-29T16:23:50.680Z",
         "destination.address": "ff02::fb",
         "destination.ip": "ff02::fb",
         "destination.port": 5353,
-        "dns.id": 0,
+        "dns.id": "0",
         "dns.question.class": "IN",
         "dns.question.name": "_googlecast._tcp.local",
         "dns.question.registered_domain": "_tcp.local",
@@ -143,7 +143,7 @@
         "zeek.dns.qtype_name": "PTR",
         "zeek.dns.query": "_googlecast._tcp.local",
         "zeek.dns.rejected": false,
-        "zeek.dns.trans_id": 0,
+        "zeek.dns.trans_id": "0",
         "zeek.session_id": "C19a1k4lTv46YMbeOk"
     },
     {
@@ -158,7 +158,7 @@
             }
         ],
         "dns.header_flags": "AA",
-        "dns.id": 0,
+        "dns.id": "0",
         "dns.question.name": "_googlecast._tcp.local",
         "dns.question.registered_domain": "_tcp.local",
         "dns.question.subdomain": "_googlecast",
@@ -209,7 +209,7 @@
         "zeek.dns.rcode": 0,
         "zeek.dns.rcode_name": "NOERROR",
         "zeek.dns.rejected": false,
-        "zeek.dns.trans_id": 0,
+        "zeek.dns.trans_id": "0",
         "zeek.session_id": "CdiVAw7jJw6gsX5H"
     }
 ]