-
Notifications
You must be signed in to change notification settings - Fork 4.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
auditbeat,filebeat,packetbeat: format mac addresses according to ECS #32622
Conversation
4323286
to
50b45fe
Compare
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
This pull request is now in conflicts. Could you fix it? 🙏
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The CEF processor (keys.ecs.go
) is producing several MACs. You can add a Translate
function to the mappings for each that replaces colons with dashes.
This pull request is now in conflicts. Could you fix it? 🙏
|
in.String = strings.ToUpper(strings.ReplaceAll(in.String, ":", "-")) | ||
return in.String, nil |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I doubt it matters, but none of the other Translate
funcs mutate *cef.Field
. They only return the modified value. Perhaps it should be a straight return without the set.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed and added docs to mappedField
.
Note for future: The mutation would be ineffective in this case.
… ECS fields This retains the original format in the cef.extension fields but ensures that the MAC address format used in ECS fields matches the spec.
…32622) * packetbeat,x-pack/{auditbeat,filebeat}: make MAC addresses render in ECS format * x-pack/filebeat/processors/decode_cef: canonicalise MAC addresses for ECS fields This retains the original format in the cef.extension fields but ensures that the MAC address format used in ECS fields matches the spec.
What does this PR do?
This changes MAC address formatting to conform to the ECS specification.
Why is it important?
Currently MAC addresses are formatted in Go code using the
net.HardwareAddr
String
method which does not conform to the ECS spec.Checklist
I have made corresponding change to the default configuration filesCHANGELOG.next.asciidoc
orCHANGELOG-developer.next.asciidoc
.Author's Checklist
How to test this PR locally
Related issues
Use cases
Screenshots
Logs