Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Filebeat] Improve Suricata error handling #23236

Merged
merged 2 commits into from
Jan 5, 2021
Merged

[Filebeat] Improve Suricata error handling #23236

merged 2 commits into from
Jan 5, 2021

Conversation

andrewkroh
Copy link
Member

What does this PR do?

This fixes several errors processing EVE logs.

  • Fix null dereference of suricata.eve.http.status. Even for http events it can be null.
  • Remove unused field mapping for suricata.eve.flow.end
  • Improve error.message details in pipeline on_failure handlers.
  • Add tags to script processors to improve error messages.
  • Rename suricata.eve.http.http_port to url.port.
  • Add remove processor to on_failure handler to remove any alias field to prevent indexing errors.
  • Ignore errors parsing TLS version. The pipeline got a value of "UNDETERMINED" that caused an error.
  • Ignore errors parsing TLS subject/issuer DNs with kv. If a value contain the value_split string like "Nutanix, Inc." it can fail.

Why is it important?

Errors were preventing remove processors from running. This left concrete values in the events for fields that are mapped as alias. Those events were rejected.

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works
  • I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

@andrewkroh andrewkroh added bug Filebeat Filebeat needs_backport PR is waiting to be backported to other branches. Team:Security-External Integrations labels Dec 22, 2020
@botelastic botelastic bot added needs_team Indicates that the issue/PR needs a Team:* label and removed needs_team Indicates that the issue/PR needs a Team:* label labels Dec 22, 2020
@elasticmachine
Copy link
Collaborator

elasticmachine commented Dec 22, 2020
edited by jenkins-beats-ci bot
Loading

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS
Pipeline View Test View Changes Artifacts preview

Expand to view the summary

Build stats

  • Build Cause: andrewkroh commented: run tests

  • Start Time: 2021-01-05T17:44:52.039+0000

  • Duration: 43 min 51 sec

Test stats 🧪

Test Results
Failed 0
Passed 2445
Skipped 263
Total 2708

💚 Flaky test report

Tests succeeded.

Expand to view the summary

Test stats 🧪

Test Results
Failed 0
Passed 2445
Skipped 263
Total 2708

leehinman
leehinman approved these changes Dec 22, 2020
View reviewed changes
Copy link
Contributor

@leehinman leehinman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I really like the error message for each pipeline.

@andrewkroh
Improve Suricata error handling
30dcb0e 
This fixes several errors processing EVE logs.

Fix null dereference of suricata.eve.http.status. Even for http events it can be null.
Remove unused field mapping for suricata.eve.flow.end
Improve error.message details in pipeline on_failure handlers.
Add tags to script processors to improve error messages.
Rename suricata.eve.http.http_port to url.port.
Add remove processor to on_failure handler to remove any alias field to prevent indexing errors.
Ignore errors parsing TLS version. The pipeline got a value of "UNDETERMINED" that caused an error.
Ignore errors parsing TLS subject/issuer DNs with kv. If a value contain the value_split string like "Nutanix, Inc." it can fail.
@andrewkroh andrewkroh force-pushed the bugfix/fb/suricata-fixes-alias-conflict branch from 6bad930 to 30dcb0e Compare December 22, 2020 23:59
@andrewkroh andrewkroh marked this pull request as ready for review January 4, 2021 17:49
@elasticmachine
Copy link
Collaborator

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

@andrewkroh
Copy link
Member Author

run tests

@andrewkroh andrewkroh merged commit 11c5367 into elastic:master Jan 5, 2021
@andrewkroh andrewkroh mentioned this pull request Jan 5, 2021
Merged
6 tasks
@andrewkroh andrewkroh added v7.12.0 and removed needs_backport PR is waiting to be backported to other branches. labels Jan 5, 2021
@jsoriano jsoriano mentioned this pull request Jan 6, 2021
Merged
@v1v v1v mentioned this pull request Jan 6, 2021
Merged
v1v added a commit to v1v/beats that referenced this pull request Jan 7, 2021
@v1v
Revert "Improve Suricata error handling (elastic#23236)"
808b041 
This reverts commit 11c5367.
v1v added a commit to v1v/beats that referenced this pull request Jan 7, 2021
@v1v
Revert "Revert "Improve Suricata error handling (elastic#23236)""
35cedc1 
This reverts commit 808b041.
v1v added a commit to v1v/beats that referenced this pull request Jan 7, 2021
@v1v
Revert "Improve Suricata error handling (elastic#23236)"
49ed4ad 
This reverts commit 11c5367.
andrewkroh added a commit to andrewkroh/beats that referenced this pull request Jan 11, 2021
@andrewkroh
Improve Suricata error handling (elastic#23236)
527f9cf 
This fixes several errors processing EVE logs.

Fix null dereference of suricata.eve.http.status. Even for http events it can be null.
Remove unused field mapping for suricata.eve.flow.end
Improve error.message details in pipeline on_failure handlers.
Add tags to script processors to improve error messages.
Rename suricata.eve.http.http_port to url.port.
Add remove processor to on_failure handler to remove any alias field to prevent indexing errors.
Ignore errors parsing TLS version. The pipeline got a value of "UNDETERMINED" that caused an error.
Ignore errors parsing TLS subject/issuer DNs with kv. If a value contain the value_split string like "Nutanix, Inc." it can fail.

(cherry picked from commit 11c5367)
andrewkroh added a commit that referenced this pull request Jan 11, 2021
@andrewkroh @jsoriano
Cherry-pick #23236 to 7.x: [Filebeat] Improve Suricata error handling (
bc888ce 
…#23369)

* Improve Suricata error handling (#23236)

This fixes several errors processing EVE logs.

Fix null dereference of suricata.eve.http.status. Even for http events it can be null.
Remove unused field mapping for suricata.eve.flow.end
Improve error.message details in pipeline on_failure handlers.
Add tags to script processors to improve error messages.
Rename suricata.eve.http.http_port to url.port.
Add remove processor to on_failure handler to remove any alias field to prevent indexing errors.
Ignore errors parsing TLS version. The pipeline got a value of "UNDETERMINED" that caused an error.
Ignore errors parsing TLS subject/issuer DNs with kv. If a value contain the value_split string like "Nutanix, Inc." it can fail.

(cherry picked from commit 11c5367)

* Update suricata fields in filebeat (#23372)

Co-authored-by: Jaime Soriano Pastor <jaime.soriano@elastic.co>
@andrewkroh andrewkroh mentioned this pull request Feb 2, 2021
Merged
6 tasks
andrewkroh added a commit to andrewkroh/beats that referenced this pull request Feb 2, 2021
@andrewkroh
Improve Suricata error handling (elastic#23236)
af26037 
This fixes several errors processing EVE logs.

Fix null dereference of suricata.eve.http.status. Even for http events it can be null.
Remove unused field mapping for suricata.eve.flow.end
Improve error.message details in pipeline on_failure handlers.
Add tags to script processors to improve error messages.
Rename suricata.eve.http.http_port to url.port.
Add remove processor to on_failure handler to remove any alias field to prevent indexing errors.
Ignore errors parsing TLS version. The pipeline got a value of "UNDETERMINED" that caused an error.
Ignore errors parsing TLS subject/issuer DNs with kv. If a value contain the value_split string like "Nutanix, Inc." it can fail.

(cherry picked from commit 11c5367)
andrewkroh added a commit that referenced this pull request Feb 4, 2021
@andrewkroh
Cherry-pick #23236 to 7.11: [Filebeat] Improve Suricata error handling (
e1ccdd3 
#23807)

This fixes several errors processing EVE logs.

Fix null dereference of suricata.eve.http.status. Even for http events it can be null.
Remove unused field mapping for suricata.eve.flow.end
Improve error.message details in pipeline on_failure handlers.
Add tags to script processors to improve error messages.
Rename suricata.eve.http.http_port to url.port.
Add remove processor to on_failure handler to remove any alias field to prevent indexing errors.
Ignore errors parsing TLS version. The pipeline got a value of "UNDETERMINED" that caused an error.
Ignore errors parsing TLS subject/issuer DNs with kv. If a value contain the value_split string like "Nutanix, Inc." it can fail.

(cherry picked from commit 11c5367)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@leehinman leehinman leehinman approved these changes

Assignees
No one assigned
Labels
bug Filebeat Filebeat v7.11.0 v7.12.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@andrewkroh @elasticmachine @leehinman