Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Filebeat] Improve ECS field mappings in santa module #17982

Merged
merged 3 commits into from
Apr 29, 2020
Merged

[Filebeat] Improve ECS field mappings in santa module #17982

merged 3 commits into from
Apr 29, 2020

Conversation

leehinman
Copy link
Contributor

@leehinman leehinman commented Apr 24, 2020
edited by zube bot
Loading

What does this PR do?

Improves ECS field mappings in santa module. Specifically:

  • move certificate.common_name to santa.certificate.common_name (breaking change)
  • move certificate.sha256 to santa.certificate.sha256 (breaking change)
  • move hash.sha256 to process.hash.sha256 (breaking change)
  • event.action
  • event.category
  • event.kind
  • event.type
  • event.outcome
  • log.level
  • add full path to executable to process.args
  • related.hash
  • related.user

Why is it important?

Improved ECS compatibility improves the usefulness of the data in the SIEM app and makes cross correlation between data sources easier.

Checklist

  • My code follows the style guidelines of this project
    - [ ] I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
    - [ ] I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works
  • I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

How to test this PR locally

GENERATE=true TESTING_FILEBEAT_MODULES=santa mage -v pythonIntegTest

Related issues

Closes #16180

@leehinman leehinman added enhancement Filebeat Filebeat needs_backport PR is waiting to be backported to other branches. Team:SIEM ecs labels Apr 24, 2020
@elasticmachine
Copy link
Collaborator

Pinging @elastic/siem (Team:SIEM)

@leehinman
Improve ECS field mappings in santa module
cf4307d 
- move certificate.common_name to
  santa.certificate.common_name (breaking change)
- move certificate.sha256 to
  santa.certificate.sha256 (breaking change)
- move hash.sha256 to process.hash.sha256 (breaking change)
- event.action
- event.category
- event.kind
- event.type
- event.outcome
- log.level
- add full path to executable to process.args
- related.hash
- related.user

Closes elastic#16180
@elasticmachine
Copy link
Collaborator

💔 Build Failed

Pipeline View Test View Changes Artifacts preview stats

Expand to view the summary

Build stats

Test stats 🧪

Test Results
Failed 5
Passed 2762
Skipped 405
Total 3172

Test errors

Expand to view the tests failures

  • Name: Build and Test / Filebeat Mac OS X / test_registrar_files_with_input_level_processors – test_registrar.Test

    • Status: FAILED
    • Age: 1
    • Duration: 3.592
    • Error Details: Mismatched values: 'offset', expected: 60, actual: 48

  • Name: Build and Test / Filebeat Mac OS X / test_rotating_file_with_restart – test_registrar.Test

    • Status: FAILED
    • Age: 1
    • Duration: 5.639
    • Error Details:

  • Name: Build and Test / Filebeat Mac OS X / test_upgrade_from_6_3_0 – test_registrar_upgrade.Test

    • Status: FAILED
    • Age: 1
    • Duration: 1.507
    • Error Details:

  • Name: Build and Test / Filebeat Mac OS X / test_upgrade_from_6_3_1 – test_registrar_upgrade.Test

    • Status: FAILED
    • Age: 1
    • Duration: 1.462
    • Error Details:

  • Name: Build and Test / Filebeat Mac OS X / test_upgrade_from_faulty_6_3_1 – test_registrar_upgrade.Test

    • Status: FAILED
    • Age: 1
    • Duration: 1.747
    • Error Details:

Steps errors

Expand to view the steps failures

  • Name: Mage build unitTest

    • Description: mage build unitTest

    • Result: FAILURE

    • Duration: 17 min 14 sec<

    • Start Time: 2020-04-29T20:16:15.336+0000

Log output

Expand to view the last 100 lines of log output 

[2020-04-29T20:43:47.370Z] Recording test results
[2020-04-29T20:43:50.394Z] Archiving artifacts
[2020-04-29T20:43:51.029Z] java.lang.InterruptedException: no matches found within 10000
[2020-04-29T20:43:51.029Z] 	at hudson.FilePath$ValidateAntFileMask.hasMatch(FilePath.java:2826)
[2020-04-29T20:43:51.029Z] 	at hudson.FilePath$ValidateAntFileMask.invoke(FilePath.java:2705)
[2020-04-29T20:43:51.029Z] 	at hudson.FilePath$ValidateAntFileMask.invoke(FilePath.java:2686)
[2020-04-29T20:43:51.029Z] 	at hudson.FilePath$FileCallableWrapper.call(FilePath.java:3073)
[2020-04-29T20:43:51.029Z] Also:   hudson.remoting.Channel$CallSiteStackTrace: Remote call to JNLP4-connect connection from beats-ci-immutable-ubuntu-1604-1588190912523946197.c.elastic-ci-prod.internal/10.224.0.160:36798
[2020-04-29T20:43:51.029Z] 		at hudson.remoting.Channel.attachCallSiteStackTrace(Channel.java:1788)
[2020-04-29T20:43:51.029Z] 		at hudson.remoting.UserRequest$ExceptionResponse.retrieve(UserRequest.java:356)
[2020-04-29T20:43:51.029Z] 		at hudson.remoting.Channel.call(Channel.java:998)
[2020-04-29T20:43:51.029Z] 		at hudson.FilePath.act(FilePath.java:1069)
[2020-04-29T20:43:51.029Z] 		at hudson.FilePath.act(FilePath.java:1058)
[2020-04-29T20:43:51.029Z] 		at hudson.FilePath.validateAntFileMask(FilePath.java:2684)
[2020-04-29T20:43:51.030Z] 		at hudson.tasks.ArtifactArchiver.perform(ArtifactArchiver.java:265)
[2020-04-29T20:43:51.030Z] 		at org.jenkinsci.plugins.workflow.steps.CoreStep$Execution.run(CoreStep.java:80)
[2020-04-29T20:43:51.030Z] 		at org.jenkinsci.plugins.workflow.steps.CoreStep$Execution.run(CoreStep.java:67)
[2020-04-29T20:43:51.030Z] 		at org.jenkinsci.plugins.workflow.steps.SynchronousNonBlockingStepExecution.lambda$start$0(SynchronousNonBlockingStepExecution.java:47)
[2020-04-29T20:43:51.030Z] 		at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
[2020-04-29T20:43:51.030Z] 		at java.util.concurrent.FutureTask.run(FutureTask.java:266)
[2020-04-29T20:43:51.030Z] 		at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
[2020-04-29T20:43:51.030Z] 		at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
[2020-04-29T20:43:51.030Z] Caused: hudson.FilePath$TunneledInterruptedException
[2020-04-29T20:43:51.030Z] 	at hudson.FilePath$FileCallableWrapper.call(FilePath.java:3075)
[2020-04-29T20:43:51.030Z] 	at hudson.remoting.UserRequest.perform(UserRequest.java:212)
[2020-04-29T20:43:51.030Z] 	at hudson.remoting.UserRequest.perform(UserRequest.java:54)
[2020-04-29T20:43:51.030Z] 	at hudson.remoting.Request$2.run(Request.java:369)
[2020-04-29T20:43:51.030Z] 	at hudson.remoting.InterceptingExecutorService$1.call(InterceptingExecutorService.java:72)
[2020-04-29T20:43:51.030Z] 	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
[2020-04-29T20:43:51.030Z] 	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
[2020-04-29T20:43:51.030Z] 	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
[2020-04-29T20:43:51.030Z] 	at hudson.remoting.Engine$1.lambda$newThread$0(Engine.java:93)
[2020-04-29T20:43:51.030Z] Caused: java.lang.InterruptedException: java.lang.InterruptedException: no matches found within 10000
[2020-04-29T20:43:51.030Z] 	at hudson.FilePath.act(FilePath.java:1071)
[2020-04-29T20:43:51.030Z] 	at hudson.FilePath.act(FilePath.java:1058)
[2020-04-29T20:43:51.030Z] 	at hudson.FilePath.validateAntFileMask(FilePath.java:2684)
[2020-04-29T20:43:51.030Z] 	at hudson.tasks.ArtifactArchiver.perform(ArtifactArchiver.java:265)
[2020-04-29T20:43:51.030Z] 	at org.jenkinsci.plugins.workflow.steps.CoreStep$Execution.run(CoreStep.java:80)
[2020-04-29T20:43:51.030Z] 	at org.jenkinsci.plugins.workflow.steps.CoreStep$Execution.run(CoreStep.java:67)
[2020-04-29T20:43:51.030Z] 	at org.jenkinsci.plugins.workflow.steps.SynchronousNonBlockingStepExecution.lambda$start$0(SynchronousNonBlockingStepExecution.java:47)
[2020-04-29T20:43:51.030Z] 	at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
[2020-04-29T20:43:51.030Z] 	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
[2020-04-29T20:43:51.030Z] 	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
[2020-04-29T20:43:51.030Z] 	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
[2020-04-29T20:43:51.030Z] 	at java.lang.Thread.run(Thread.java:748)
[2020-04-29T20:43:51.030Z] No artifacts found that match the file pattern "**/build/TEST*.out". Configuration error?
[2020-04-29T20:43:51.417Z] + curl -sSLo codecov https://codecov.io/bash
[2020-04-29T20:43:51.680Z] + FILE=auditbeat/build/coverage/full.cov
[2020-04-29T20:43:51.680Z] + [ -f auditbeat/build/coverage/full.cov ]
[2020-04-29T20:43:51.680Z] + FILE=filebeat/build/coverage/full.cov
[2020-04-29T20:43:51.680Z] + [ -f filebeat/build/coverage/full.cov ]
[2020-04-29T20:43:51.680Z] + bash codecov -f filebeat/build/coverage/full.cov
[2020-04-29T20:43:51.680Z] 
[2020-04-29T20:43:51.680Z]   _____          _
[2020-04-29T20:43:51.680Z]  / ____|        | |
[2020-04-29T20:43:51.680Z] | |     ___   __| | ___  ___ _____   __
[2020-04-29T20:43:51.680Z] | |    / _ \ / _` |/ _ \/ __/ _ \ \ / /
[2020-04-29T20:43:51.680Z] | |___| (_) | (_| |  __/ (_| (_) \ V /
[2020-04-29T20:43:51.680Z]  \_____\___/ \__,_|\___|\___\___/ \_/
[2020-04-29T20:43:51.680Z]                               Bash-tbd
[2020-04-29T20:43:51.680Z] 
[2020-04-29T20:43:51.680Z] 
[2020-04-29T20:43:51.680Z] ==> Jenkins CI detected.
[2020-04-29T20:43:51.680Z]     project root: .
[2020-04-29T20:43:51.680Z]     Fixing merge commit SHA
[2020-04-29T20:43:51.680Z]     Yaml found at: codecov.yml
[2020-04-29T20:43:51.680Z]     -> Found 1 reports
[2020-04-29T20:43:51.680Z] ==> Detecting git/mercurial file structure
[2020-04-29T20:43:51.945Z] ==> Reading reports
[2020-04-29T20:43:51.945Z]     + filebeat/build/coverage/full.cov bytes=259428
[2020-04-29T20:43:51.945Z] ==> Appending adjustments
[2020-04-29T20:43:51.945Z]     http://docs.codecov.io/docs/fixing-reports
[2020-04-29T20:44:00.110Z]     + Found adjustments
[2020-04-29T20:44:00.110Z] ==> Gzipping contents
[2020-04-29T20:44:00.372Z] ==> Uploading reports
[2020-04-29T20:44:00.372Z]     url: https://codecov.io
[2020-04-29T20:44:00.372Z]     query: branch=PR-17982&commit=1d85b30e0bd4361e8a8bc578cd824071841f2dc6&build=4&build_url=https%3A%2F%2Fbeats-ci.elastic.co%2Fjob%2FBeats%2Fjob%2Fbeats-beats-mbp%2Fjob%2FPR-17982%2F4%2F&name=&tag=&slug=elastic%2Fbeats&service=jenkins&flags=&pr=17982&job=
[2020-04-29T20:44:00.372Z]     -> Pinging Codecov
[2020-04-29T20:44:00.372Z] https://codecov.io/upload/v4?package=bash-tbd&token=secret&branch=PR-17982&commit=1d85b30e0bd4361e8a8bc578cd824071841f2dc6&build=4&build_url=https%3A%2F%2Fbeats-ci.elastic.co%2Fjob%2FBeats%2Fjob%2Fbeats-beats-mbp%2Fjob%2FPR-17982%2F4%2F&name=&tag=&slug=elastic%2Fbeats&service=jenkins&flags=&pr=17982&job=
[2020-04-29T20:44:00.633Z] HTTP 400
[2020-04-29T20:44:00.633Z] Please provide the repository token to upload reports via `-t :repository-token`
[2020-04-29T20:44:00.633Z] + FILE=heartbeat/build/coverage/full.cov
[2020-04-29T20:44:00.633Z] + [ -f heartbeat/build/coverage/full.cov ]
[2020-04-29T20:44:00.633Z] + FILE=libbeat/build/coverage/full.cov
[2020-04-29T20:44:00.633Z] + [ -f libbeat/build/coverage/full.cov ]
[2020-04-29T20:44:00.633Z] + FILE=metricbeat/build/coverage/full.cov
[2020-04-29T20:44:00.633Z] + [ -f metricbeat/build/coverage/full.cov ]
[2020-04-29T20:44:00.634Z] + FILE=packetbeat/build/coverage/full.cov
[2020-04-29T20:44:00.634Z] + [ -f packetbeat/build/coverage/full.cov ]
[2020-04-29T20:44:00.634Z] + FILE=winlogbeat/build/coverage/full.cov
[2020-04-29T20:44:00.634Z] + [ -f winlogbeat/build/coverage/full.cov ]
[2020-04-29T20:44:00.634Z] + FILE=journalbeat/build/coverage/full.cov
[2020-04-29T20:44:00.634Z] + [ -f journalbeat/build/coverage/full.cov ]
[2020-04-29T20:44:02.468Z] Running on Jenkins in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-17982
[2020-04-29T20:44:02.723Z] [INFO] getVaultSecret: Getting secrets
[2020-04-29T20:44:02.789Z] Masking supported pattern matches of $VAULT_ADDR or $VAULT_ROLE_ID or $VAULT_SECRET_ID
[2020-04-29T20:44:03.566Z] + chmod 755 generate-build-data.sh
[2020-04-29T20:44:03.566Z] + ./generate-build-data.sh https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats-beats-mbp/PR-17982/ https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats-beats-mbp/PR-17982/runs/4 FAILURE 3412490
[2020-04-29T20:44:04.117Z] INFO: curl https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats-beats-mbp/PR-17982/runs/4/steps/?limit=10000 -o steps-info.json
[2020-04-29T20:44:04.367Z] INFO: curl https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats-beats-mbp/PR-17982/runs/4/tests/?status=FAILED -o tests-errors.json

@leehinman leehinman merged commit 81dfe61 into elastic:master Apr 29, 2020
@leehinman leehinman deleted the 16180_santa_ecs_1.4 branch April 29, 2020 21:44
@leehinman leehinman mentioned this pull request Apr 29, 2020
Merged
4 tasks
@leehinman leehinman added v7.8.0 and removed needs_backport PR is waiting to be backported to other branches. labels Apr 29, 2020
leehinman added a commit to leehinman/beats that referenced this pull request Apr 29, 2020
@leehinman
[Filebeat] Improve ECS field mappings in santa module (elastic#17982)
654abec 
* Improve ECS field mappings in santa module

- move certificate.common_name to
  santa.certificate.common_name (breaking change)
- move certificate.sha256 to
  santa.certificate.sha256 (breaking change)
- move hash.sha256 to process.hash.sha256 (breaking change)
- event.action
- event.category
- event.kind
- event.type
- event.outcome
- log.level
- add full path to executable to process.args
- related.hash
- related.user
- Add new default file path

Closes elastic#16180

(cherry picked from commit 81dfe61)
leehinman added a commit that referenced this pull request May 5, 2020
@leehinman
[Filebeat] Improve ECS field mappings in santa module (#17982) (#18114)
71d4714 
* Improve ECS field mappings in santa module

- move certificate.common_name to
  santa.certificate.common_name (breaking change)
- move certificate.sha256 to
  santa.certificate.sha256 (breaking change)
- move hash.sha256 to process.hash.sha256 (breaking change)
- event.action
- event.category
- event.kind
- event.type
- event.outcome
- log.level
- add full path to executable to process.args
- related.hash
- related.user
- Add new default file path

Closes #16180

(cherry picked from commit 81dfe61)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@andrewkroh andrewkroh andrewkroh approved these changes

Assignees
No one assigned
Labels
ecs enhancement Filebeat Filebeat v7.8.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Filebeat] Upgrade santa module to ECS 1.4
3 participants
@leehinman @elasticmachine @andrewkroh