-
Notifications
You must be signed in to change notification settings - Fork 4.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Packetbeat] HTTP: Improve support for 100-continue #15830
Comments
Hi, I would like to do some work on this. Could you @adriansr get me up to speed quickly on this? :) |
Hi @OhBonsai, sure. So I take it you know more or less how it works, but let me summarize: Packetbeat expects a normal HTTP request/response transaction:
From this Packetbeat generates a document for the request/response transaction. but when the client request includes a
From this currently Packetbeat generates two documents:
We want just the last document, while making sure that configuration options like Code for this is in Thanks for contributing! |
@adriansr PTAL |
* refactor(packet beat): Improve support for 100-continue * test(packetbeat): 100-continue only generate one event without error * test(packetbeat): 100-continue only generate one event without error * Update packetbeat/protos/http/http.go Co-authored-by: Adrian Serrano <adrisr83@gmail.com> * delete unused string * Fix format issue Co-authored-by: Marc Guasch <marc.guasch@elastic.co> Co-authored-by: Adrian Serrano <adrisr83@gmail.com>
…astic#19349) * refactor(packet beat): Improve support for 100-continue * test(packetbeat): 100-continue only generate one event without error * test(packetbeat): 100-continue only generate one event without error * Update packetbeat/protos/http/http.go Co-authored-by: Adrian Serrano <adrisr83@gmail.com> * delete unused string * Fix format issue Co-authored-by: Marc Guasch <marc.guasch@elastic.co> Co-authored-by: Adrian Serrano <adrisr83@gmail.com> (cherry picked from commit 41bc8c6)
…ne-2.0 * upstream/master: (41 commits) adding possibility to override content-type checks, it was breaking certain webhooks that is not able to set content-headers at all. Still defaults to application/json (elastic#20232) fix: use a fixed worker type for tests (elastic#20130) [Ingest Manager] Prepare packaging for endpoint and asc files (elastic#20186) [Packetbeat] HTTP: Improve support for 100-continue elastic#15830 (elastic#19349) Increase index.max_docvalue_fields_search to 200 (elastic#20218) [Ingest Manager] Prevent closing closed reader (elastic#20214) [Metricbeat] Use MySQL Host Parser in Query metricset (elastic#20191) Testing: Ignore timestamp from cylance/protect dataset (elastic#20211) [Filebeat] Ignore cylance.protect timestamps while testing (elastic#20207) [CI] remove codecov step (elastic#20102) [docs] Indicate that SYSTEM user is required on Windows to use Endpoint (elastic#20172) Remove f5/firepass rsa2elk fileset (elastic#20160) [Elastic Agent] Improve GRPC stop to be more relaxed. (elastic#20118) Fix fileset field prefixing (elastic#20170) Fix terminating pod autodiscover issue (elastic#20084) Call host parser only once when building light metricsets (elastic#20149) [CI] fix null string with contains (elastic#20182) [Ingest Manager] Fix failing unit tests on windows (elastic#20127) [Filebeat] Update crowdstrike module (elastic#20138) [docs] Add x-pack role to relevant metricsets (elastic#20167) ...
…20234) * refactor(packet beat): Improve support for 100-continue * test(packetbeat): 100-continue only generate one event without error * test(packetbeat): 100-continue only generate one event without error * Update packetbeat/protos/http/http.go Co-authored-by: Adrian Serrano <adrisr83@gmail.com> * delete unused string * Fix format issue Co-authored-by: Marc Guasch <marc.guasch@elastic.co> Co-authored-by: Adrian Serrano <adrisr83@gmail.com> (cherry picked from commit 41bc8c6) Co-authored-by: Bonsai <LetBonsaiBe@gmail.com>
…astic#19349) * refactor(packet beat): Improve support for 100-continue * test(packetbeat): 100-continue only generate one event without error * test(packetbeat): 100-continue only generate one event without error * Update packetbeat/protos/http/http.go Co-authored-by: Adrian Serrano <adrisr83@gmail.com> * delete unused string * Fix format issue Co-authored-by: Marc Guasch <marc.guasch@elastic.co> Co-authored-by: Adrian Serrano <adrisr83@gmail.com>
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
Closed in #19349 |
Packetbeat lacks support for
100-continue
request/response, which looks like:Expect: 100-continue
.Currently this is causing Packetbeat to:
Example with Packetbeat monitoring port 9200 for http:
Produces:
and
A simple workaround is to drop the events which contain this error:
The text was updated successfully, but these errors were encountered: