[libbeat] New decode xml wineventlog processor #25115
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
botelastic
bot
added
needs_team
💚 Build Succeeded
Expand to view the summary
Build stats
Test stats 🧪
Trends 🧪💚 Flaky test reportTests succeeded. Expand to view the summary
Test stats 🧪
|
leehinman
requested changes
Apr 15, 2021
|
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
marc-gr
force-pushed
the
new_decode_xml_wineventlog_processor
branch
from
c739801
to
3f8b423
Compare
5 tasks
|
This pull request is now in conflicts. Could you fix it? 🙏 |
andrewkroh
approved these changes
Apr 19, 2021
| exist in the event are overwritten by keys from the decoded XML object. The | ||
| default value is `true`. | ||
|
|
||
| `map_ecs_fields`:: (Optional) A boolean that specifies whether to map additional ECS |
There was a problem hiding this comment.
I think it would be more clear to explicitly state that this writes keys outside of target_field.
| `map_ecs_fields`:: (Optional) A boolean that specifies whether to map additional ECS | ||
| fields when possible. The default value is `true`. | ||
|
|
||
| `document_id`:: (Optional) XML key to use as the document ID. If configured, the |
There was a problem hiding this comment.
I don't think this will be useful for event log XML data. I can't think of a field that has enough uniqueness on its own. I'd would probably use a fingerprint processor to combine a few fields like record_id, channel, computer_name, timestamp if I wanted a unique _id.
marc-gr
force-pushed
the
new_decode_xml_wineventlog_processor
branch
from
ab53093
to
7eafa15
Compare
marc-gr
force-pushed
the
new_decode_xml_wineventlog_processor
branch
from
3fefb41
to
cfcb4f1
Compare
adriansr
approved these changes
Apr 20, 2021
v1v
added a commit
to v1v/beats
that referenced
this pull request
Apr 20, 2021
…-github-pr-comment-template * upstream/master: [Ingest Manager] Keep http and logging config during enroll (elastic#25132) Refactor kubernetes autodiscover to avoid skipping short-living pods (elastic#24742) [libbeat] New decode xml wineventlog processor (elastic#25115) Add svc to agent k8s clusterRole (elastic#25146) Add awsfargate module to collect container logs from Amazon ECS on Fargate (elastic#25041) [Filebeat][Cisco ASA] log enhancement and performance (elastic#24744) Watch kubernetes namespaces for autodiscover metadata for pods (elastic#25117) Cyberark Privileged Access Security module (elastic#24803) [Elastic Agent] Log the container command output with LOGS_PATH (elastic#25150) Fix for tests after `device...` field has been removed (elastic#25141) [Ingest Manager] Restart process on output change (elastic#24907) Set --insecure in container when FLEET_SERVER_ENABLE and FLEET_INSECURE set. (elastic#25137) [filebeat] Update documentation / changelog / beta warnings for the syslog input (elastic#25047) Add support for ignore_inactive in filestream input (elastic#25036) Fix bug with annotations dedot config on k8s not used (elastic#25111)
marc-gr
added a commit
that referenced
this pull request
Apr 20, 2021
* Move enrich raw functionality to common package * Enrich Raw fields when possible in decode_xml * Add ECS mappings when decoding wineventlog xml * Add decode_xml_wineventlog processor * Add missing fields to config checks * Change event.code type * Fix PR number in changelog * Fix test * Remove document_id and make docs more clear (cherry picked from commit 8cf8f51)
marc-gr
added a commit
that referenced
this pull request
Apr 20, 2021
* Move enrich raw functionality to common package * Enrich Raw fields when possible in decode_xml * Add ECS mappings when decoding wineventlog xml * Add decode_xml_wineventlog processor * Add missing fields to config checks * Change event.code type * Fix PR number in changelog * Fix test * Remove document_id and make docs more clear (cherry picked from commit 8cf8f51) Co-authored-by: Marc Guasch <marc-gr@users.noreply.github.com>
v1v
added a commit
to v1v/beats
that referenced
this pull request
Apr 22, 2021
…ng-versions-stack * upstream/master: (28 commits) Add support for parsers in filestream input (elastic#24763) Skip flaky test TestFilestreamTruncate (elastic#25218) backport: Add 7.13 branch (elastic#25189) Update decode_json_fields.asciidoc (elastic#25056) [Elastic Agent] Fix status and inspect command to work inside running container (elastic#25204) Check native environment before starting (elastic#25186) Change event.code and winlog.event_id type (elastic#25176) [Ingest Manager] Proxy processes/elastic-agent to stats (elastic#25193) Update mergify backporting to 7.x and 7.13 (elastic#25196) [Heartbeat]: ensure synthetics version co* [Heartbeat]: ensure synthetics version compatability for suites * address review and fix notice * fix lowercase struct * fix version conflict and rebase * update go.* stuff to master * fix notice.txt * move validate inside sourcempatability for suites (elastic#24777) [Filebeat] Ensure Kibana audit `event.category` and `event.type` are still processed as strings. (elastic#25101) Update replace.asciidoc (elastic#25055) Fix nil panic when overwriting metadata (elastic#24741) [Filebeat] Add Malware Bazaar to Threat Intel Module (elastic#24570) Fix k8s svc selectors mapping (elastic#25169) [Ingest Manager] Make agent retry values for bootstraping configurable (elastic#25163) [Metricbeat] Remove elasticsearc.index.created from the SM code (elastic#25113) [Ingest Manager] Keep http and logging config during enroll (elastic#25132) Refactor kubernetes autodiscover to avoid skipping short-living pods (elastic#24742) [libbeat] New decode xml wineventlog processor (elastic#25115) ...
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What does this PR do?
Draft of the changes required to move wineventlog decoding to a new processor
From the discussion at #25109 to see which approach we prefer.
Why is it important?
Checklist
CHANGELOG.next.asciidocorCHANGELOG-developer.next.asciidoc.