Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Filebeat] backwards compatibility for set processor #20908

Merged
merged 3 commits into from
Sep 3, 2020
Merged

[Filebeat] backwards compatibility for set processor #20908

merged 3 commits into from
Sep 3, 2020

Conversation

leehinman
Copy link
Contributor

@leehinman leehinman commented Sep 1, 2020
edited
Loading

What does this PR do?

When loading a pipeline this change checks the elasticsearch version
and if the version is less than 7.9.0 it will replace the
"ignore_empty_value" option with an equivalent if statement on the set
processor.

Why is it important?

This allows filebeat > 7.9.0 to be used with older versions of
elasticsearch. Without it the pipelines fail to load because the
option isn't supported.

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works
  • I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

How to test this PR locally

run filebeat modules enable zeek && filebeat -e setup

Logs

Error

2020-09-01T12:42:48.781-0500	ERROR	fileset/setup.go:81	Error loading pipeline: 1 error: Error loading pipeline for fileset zeek/x509: couldn't load pipeline: couldn't load json. Error: 400 Bad Request: {"error":{"root_cause [{"type":"parse_exception","reason":"processor [set] doesn't support one or more provided configuration parameters [ignore_empty_value]",
...

With fix:

2020-09-01T14:04:56.470-0500	DEBUG	[modules] fileset/pipelines.go:277     	in pipeline filebeat-8.0.0-zeek-x509-pipeline replacing unsupported 'ignore_empty_value' with if ctx?.zeek?.x509?.certificate?.subject?.state != null in set processor

@leehinman leehinman added bug Filebeat Filebeat needs_backport PR is waiting to be backported to other branches. Team:SIEM labels Sep 1, 2020
@elasticmachine
Copy link
Collaborator

Pinging @elastic/siem (Team:SIEM)

@botelastic botelastic bot added needs_team Indicates that the issue/PR needs a Team:* label and removed needs_team Indicates that the issue/PR needs a Team:* label labels Sep 1, 2020
@elasticmachine
Copy link
Collaborator

elasticmachine commented Sep 1, 2020
edited by jenkins-beats-ci bot
Loading

💚 Build Succeeded

Pipeline View Test View Changes Artifacts preview

Expand to view the summary

Build stats

  • Build Cause: [Pull request #20908 updated]

  • Start Time: 2020-09-02T21:28:49.153+0000

  • Duration: 55 min 17 sec

Test stats 🧪

Test Results
Failed 0
Passed 5586
Skipped 822
Total 6408

@leehinman
backwards compatibility for set processor
84cc638 
- "ignore_empty_value" option for the set processor only works on
elasticsearch >= 7.9.0.  This change removes that option and replaces
it with an if statement if pipeline is loaded on an earlier version of
elasticsearch.
andrewkroh
andrewkroh reviewed Sep 1, 2020
View reviewed changes
Copy link
Member

@andrewkroh andrewkroh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just a few minor suggestions.

filebeat/fileset/pipelines.go Outdated
if !ok {
continue
}
newIf := strings.ReplaceAll(val, "{", "")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How about TrimLeft and TrimRight for these two?

filebeat/fileset/pipelines.go Outdated
newIf = strings.TrimSpace(newIf)
newIf = strings.ReplaceAll(newIf, ".", "?.")
newIf = "ctx?." + newIf + " != null"
logp.Debug("modules", "in pipeline %s replacing unsupported 'ignore_empty_value' with if %s in set processor", pipelineID, newIf)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
logp.Debug("modules", "in pipeline %s replacing unsupported 'ignore_empty_value' with if %s in set processor", pipelineID, newIf)
logp.Debug("modules", "In pipeline %s replacing unsupported 'ignore_empty_value' with if %q in set processor", pipelineID, newIf)

filebeat/fileset/pipelines_test.go
"set": map[string]interface{}{
"field": "rule.name",
"value": "{{panw.panos.ruleset}}",
"ignore_empty_value": true,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How about a test case for when the pipeline already has an if and it has ignore_empty_value. Perhaps it should just drop the ignore_empty_value in that case?

CHANGELOG.next.asciidoc Outdated
@@ -256,6 +256,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
- Fix long registry migration times. {pull}20717[20717] {issue}20705[20705]
- Fix event types and categories in auditd module to comply with ECS {pull}20652[20652]
- Update documentation in the azure module filebeat. {pull}20815[20815]
- provide backwards compatibility for set processor and elasticsearch less than 7.9.0 {pull}20908[20908]
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- provide backwards compatibility for set processor and elasticsearch less than 7.9.0 {pull}20908[20908]
- Provide backwards compatibility for the `set` processor when Elasticsearch is less than 7.9.0. {pull}20908[20908]

andrewkroh
andrewkroh approved these changes Sep 2, 2020
View reviewed changes
Copy link
Member

@andrewkroh andrewkroh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Can you try testing the modules locally against 7.8 if you haven't already.

I think if you export TESTING_ENVIRONMENT=latest and roll back to 7.8 in https://github.com/elastic/beats/blob/master/testing/environments/latest.yml#L6-L29 while running the module tests it will use 7.8.

@leehinman
Copy link
Contributor Author

LGTM. Can you try testing the modules locally against 7.8 if you haven't already.

I think if you export TESTING_ENVIRONMENT=latest and roll back to 7.8 in https://github.com/elastic/beats/blob/master/testing/environments/latest.yml#L6-L29 while running the module tests it will use 7.8.

All tests passed with TESTING_ENVIRONMENT=latest & setting version to 7.8.0 in latest.yml

Also tried loading the zeek module against 7.8.1 & 7.9.0 clusters:

7.8.1 cluster

setup output

2020-09-03T10:00:54.917-0500	DEBUG	[modules]	fileset/pipelines.go:270	In pipeline "filebeat-8.0.0-zeek-x509-pipeline" removing unsupported 'ignore_empty_value' in set processor
2020-09-03T10:00:54.917-0500	DEBUG	[modules]	fileset/pipelines.go:288	In pipeline "filebeat-8.0.0-zeek-x509-pipeline" adding if ctx?.zeek?.x509?.certificate?.subject?.common_name != null to replace 'ignore_empty_value' in set processor
2020-09-03T10:00:55.003-0500	INFO	fileset/pipelines.go:139	Elasticsearch pipeline with ID 'filebeat-8.0.0-zeek-x509-pipeline' loaded

Resulting set processor

{
        "set" : {
          "value" : "{{zeek.x509.certificate.subject.common_name}}",
          "if" : "ctx?.zeek?.x509?.certificate?.subject?.common_name != null",
          "field" : "file.x509.subject.common_name"
        }
},

7.9.0 cluster

setup output

2020-09-03T10:21:33.594-0500	INFO	fileset/pipelines.go:139	Elasticsearch pipeline with ID 'filebeat-8.0.0-zeek-x509-pipeline' loaded

Resulting set processor

{
        "set" : {
          "ignore_empty_value" : true,
          "field" : "file.x509.subject.common_name",
          "value" : "{{zeek.x509.certificate.subject.common_name}}"
        }
},

@leehinman leehinman merged commit 0032c0c into elastic:master Sep 3, 2020
leehinman added a commit to leehinman/beats that referenced this pull request Sep 3, 2020
@leehinman
[Filebeat] backwards compatibility for set processor (elastic#20908)
9ba271b 
- "ignore_empty_value" option for the set processor only works on
Elasticsearch >= 7.9.0.  This change removes that option and replaces
it with an if statement if pipeline is loaded on an earlier version of
elasticsearch.

(cherry picked from commit 0032c0c)
@leehinman leehinman mentioned this pull request Sep 3, 2020
Merged
6 tasks
@leehinman leehinman added v7.10.0 and removed needs_backport PR is waiting to be backported to other branches. labels Sep 3, 2020
@andrewkroh andrewkroh mentioned this pull request Sep 14, 2020
Merged
6 tasks
andrewkroh pushed a commit to andrewkroh/beats that referenced this pull request Sep 14, 2020
@leehinman @andrewkroh
[Filebeat] backwards compatibility for set processor (elastic#20908)
3cea2d0 
- "ignore_empty_value" option for the set processor only works on
Elasticsearch >= 7.9.0.  This change removes that option and replaces
it with an if statement if pipeline is loaded on an earlier version of
elasticsearch.

(cherry picked from commit 0032c0c)
leehinman added a commit that referenced this pull request Sep 15, 2020
@leehinman
[Filebeat] backwards compatibility for set processor (#20908) (#20969)
ec794aa 
- "ignore_empty_value" option for the set processor only works on
Elasticsearch >= 7.9.0.  This change removes that option and replaces
it with an if statement if pipeline is loaded on an earlier version of
elasticsearch.

(cherry picked from commit 0032c0c)
leehinman added a commit that referenced this pull request Sep 15, 2020
@andrewkroh @leehinman
[Filebeat] backwards compatibility for set processor (#20908) (#21084)
5a06f7e 
- "ignore_empty_value" option for the set processor only works on
Elasticsearch >= 7.9.0.  This change removes that option and replaces
it with an if statement if pipeline is loaded on an earlier version of
elasticsearch.

(cherry picked from commit 0032c0c)

Co-authored-by: Lee Hinman <57081003+leehinman@users.noreply.github.com>
@leehinman leehinman deleted the set_processor_fix branch October 5, 2020 19:21
melchiormoulin pushed a commit to melchiormoulin/beats that referenced this pull request Oct 14, 2020
@leehinman @melchiormoulin
[Filebeat] backwards compatibility for set processor (elastic#20908)
d955c2c 
- "ignore_empty_value" option for the set processor only works on
Elasticsearch >= 7.9.0.  This change removes that option and replaces
it with an if statement if pipeline is loaded on an earlier version of
elasticsearch.
leweafan pushed a commit to leweafan/beats that referenced this pull request Apr 28, 2023
@andrewkroh @leehinman
[Filebeat] backwards compatibility for set processor (elastic#20908) (e…
d15f604 
…lastic#21084)

- "ignore_empty_value" option for the set processor only works on
Elasticsearch >= 7.9.0.  This change removes that option and replaces
it with an if statement if pipeline is loaded on an earlier version of
elasticsearch.

(cherry picked from commit b6162c4)

Co-authored-by: Lee Hinman <57081003+leehinman@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@andrewkroh andrewkroh andrewkroh approved these changes

Assignees
No one assigned
Labels
bug Filebeat Filebeat v7.9.2 v7.10.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@leehinman @elasticmachine @andrewkroh