Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add zeek system tests #448

Merged
merged 2 commits into from
Dec 10, 2020
Merged

add zeek system tests #448

merged 2 commits into from
Dec 10, 2020

Conversation

leehinman
Copy link
Contributor

What does this PR do?

Add system tests to zeek package and bump version to 0.3.5

Specific changes to data_streams were:

  • capture_loss
  • connection
  • dce_rpc, update ecs.yml
  • dhcp, update ecs.yml
  • dnp3, update ecs.yml
  • dns, update ecs.yml, fix type mismatch
  • dpd
  • files
  • http, update ecs.yml, fix path configuration
  • intel
  • irc
  • kerberos, update ecs.yml
  • modbus, update ecs.yml
  • mysql, update ecs.yml
  • notice
  • ntlm
  • pe
  • radius
  • rdp, update ecs.yml
  • rfb
  • sip
  • smb_cmd
  • smb_files
  • smb_mapping
  • smtp
  • snmp
  • socks
  • ssh
  • ssl, update ecs.yml
  • stats
  • traceroute
  • tunnel
  • weird
  • x509, update ecs.yml

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all datasets collect metrics or logs.

How to test this PR locally

elastic-package clean && \
elastic-package build && \
elastic-package stack up -d && \
$(elastic-package stack shellinit) && \
elastic-package test system -v

Related issues

@elasticmachine
Copy link

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

@leehinman leehinman mentioned this pull request Dec 4, 2020
Closed
@elasticmachine
Copy link

elasticmachine commented Dec 4, 2020
edited
Loading

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS
Pipeline View Test View Changes Artifacts preview

Expand to view the summary

Build stats

  • Build Cause: Pull request #448 updated

  • Start Time: 2020-12-10T19:25:43.512+0000

  • Duration: 33 min 3 sec

Test stats 🧪

Test Results
Failed 0
Passed 124
Skipped 0
Total 124

@andrewkroh
Copy link
Member

The CI error is

[2020-12-07T22:37:23.341Z] Error: checking package failed: formatting the integration failed (path: /var/lib/jenkins/workspace/gest-manager_integrations_PR-448/src/github.com/elastic/integrations/packages/zeek, failFast: true): walking through the integration files failed: formatting file failed (path: /var/lib/jenkins/workspace/gest-manager_integrations_PR-448/src/github.com/elastic/integrations/packages/zeek/data_stream/dns/fields/ecs.yml): file is not formatted (path: /var/lib/jenkins/workspace/gest-manager_integrations_PR-448/src/github.com/elastic/integrations/packages/zeek/data_stream/dns/fields/ecs.yml)

Try elastic-package format.

andrewkroh
andrewkroh approved these changes Dec 8, 2020
View reviewed changes
Copy link
Member

@andrewkroh andrewkroh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Just one minor issue that I apologize for naming the way I did.

packages/zeek/data_stream/dns/agent/stream/log.yml.hbs Outdated
- {from: zeek.dns.query, to: dns.question.name}
- {from: zeek.dns.qtype_name, to: dns.question.type}
- {from: zeek.dns.rcode_name, to: dns.response_code}
- convert:
ignore_missing: true
ignore_failure: true
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
ignore_failure: true
fail_on_error: false

@leehinman
add zeek system tests
ffd313c 
- update version to 0.3.5
- capture_loss
- connection
- dce_rpc, update ecs.yml
- dhcp, update ecs.yml
- dnp3, update ecs.yml
- dns, update ecs.yml, fix type mismatch
- dpd
- files
- http, update ecs.yml, fix path configuration
- intel
- irc
- kerberos, update ecs.yml
- modbus, update ecs.yml
- mysql, update ecs.yml
- notice
- ntlm
- pe
- radius
- rdp, update ecs.yml
- rfb
- sip
- smb_cmd
- smb_files
- smb_mapping
- smtp
- snmp
- socks
- ssh
- ssl, update ecs.yml
- stats
- traceroute
- tunnel
- weird
- x509, update ecs.yml
@leehinman
incorporate feedback
ffe02cb 
- fix indentation in fields files
- fix "fail_on_error" option in dns
@leehinman leehinman merged commit d864401 into elastic:master Dec 10, 2020
@leehinman leehinman deleted the zeek_system_test branch December 10, 2020 20:39
andrewkroh
andrewkroh reviewed Jan 11, 2021
View reviewed changes
packages/zeek/data_stream/dns/agent/stream/log.yml.hbs
@@ -21,7 +21,7 @@ processors:
target: zeek.dns
- registered_domain:
ignore_missing: true
ignore_failure: true
fail_on_error: false
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This one was correct with the use of ignore_failure: true.

andrewkroh added a commit to andrewkroh/beats that referenced this pull request Jan 12, 2021
@andrewkroh
Sync changes to Zeek DNS
c80e180 
Fix usages of ignore_failure with convert processor.
Make DNS transaction ID a string.

elastic/integrations#448
andrewkroh added a commit to elastic/beats that referenced this pull request Jan 25, 2021
@andrewkroh
Sync fixes from Integration Package Testing (#23424)
bf46572 
* Sync changes to AWS CloudTrail

elastic/integrations#408

* Sync changes to CheckPoint Firewall

Change type of event.severity.

elastic/integrations#409

* Sync changes from Cisco ASA / FTD

elastic/integrations#414

* Sync changes from Cisco IOS

Make icmp and igmp fields strings because they are keywords.

elastic/integrations#416

* Sync changes to CrowdStrike Falcon

Fix some field types.

elastic/integrations#377

* Sync changes to Fortinet Firewall

Drop assignip if the value is "N/A".

elastic/integrations#437

* Sync changes to Juniper SRX

Convert event.risk values to float
Protect against missing event.timezone
Convert event.severity to long.

elastic/integrations#443

* Sync changes to Suricata EVE

Convert suricata.eve.flow_id to string because the field is a keyword in the mapping.

elastic/integrations#457

* Sync changes to Zeek DNS

Fix usages of ignore_failure with convert processor.
Make DNS transaction ID a string.

elastic/integrations#448

* Add changelog
andrewkroh added a commit to andrewkroh/beats that referenced this pull request Feb 16, 2021
@andrewkroh
Sync fixes from Integration Package Testing (elastic#23424)
74f9ca7 
* Sync changes to AWS CloudTrail

elastic/integrations#408

* Sync changes to CheckPoint Firewall

Change type of event.severity.

elastic/integrations#409

* Sync changes from Cisco ASA / FTD

elastic/integrations#414

* Sync changes from Cisco IOS

Make icmp and igmp fields strings because they are keywords.

elastic/integrations#416

* Sync changes to CrowdStrike Falcon

Fix some field types.

elastic/integrations#377

* Sync changes to Fortinet Firewall

Drop assignip if the value is "N/A".

elastic/integrations#437

* Sync changes to Juniper SRX

Convert event.risk values to float
Protect against missing event.timezone
Convert event.severity to long.

elastic/integrations#443

* Sync changes to Suricata EVE

Convert suricata.eve.flow_id to string because the field is a keyword in the mapping.

elastic/integrations#457

* Sync changes to Zeek DNS

Fix usages of ignore_failure with convert processor.
Make DNS transaction ID a string.

elastic/integrations#448

* Add changelog

(cherry picked from commit bf46572)
adriansr pushed a commit to elastic/beats that referenced this pull request Feb 17, 2021
@andrewkroh
Cherry-pick #23424 to 7.x: Sync fixes from Integration Package Testing (
94b6732 
#24077)

* Sync fixes from Integration Package Testing (#23424)

* Sync changes to AWS CloudTrail

elastic/integrations#408

* Sync changes to CheckPoint Firewall

Change type of event.severity.

elastic/integrations#409

* Sync changes from Cisco ASA / FTD

elastic/integrations#414

* Sync changes from Cisco IOS

Make icmp and igmp fields strings because they are keywords.

elastic/integrations#416

* Sync changes to CrowdStrike Falcon

Fix some field types.

elastic/integrations#377

* Sync changes to Fortinet Firewall

Drop assignip if the value is "N/A".

elastic/integrations#437

* Sync changes to Juniper SRX

Convert event.risk values to float
Protect against missing event.timezone
Convert event.severity to long.

elastic/integrations#443

* Sync changes to Suricata EVE

Convert suricata.eve.flow_id to string because the field is a keyword in the mapping.

elastic/integrations#457

* Sync changes to Zeek DNS

Fix usages of ignore_failure with convert processor.
Make DNS transaction ID a string.

elastic/integrations#448

* Add changelog

(cherry picked from commit bf46572)
eyalkraft pushed a commit to build-security/integrations that referenced this pull request Mar 30, 2022
@leehinman
add zeek system tests (elastic#448)
d122c5d 
* add zeek system tests

- update version to 0.3.5
- capture_loss
- connection
- dce_rpc, update ecs.yml
- dhcp, update ecs.yml
- dnp3, update ecs.yml
- dns, update ecs.yml, fix type mismatch
- dpd
- files
- http, update ecs.yml, fix path configuration
- intel
- irc
- kerberos, update ecs.yml
- modbus, update ecs.yml
- mysql, update ecs.yml
- notice
- ntlm
- pe
- radius
- rdp, update ecs.yml
- rfb
- sip
- smb_cmd
- smb_files
- smb_mapping
- smtp
- snmp
- socks
- ssh
- ssl, update ecs.yml
- stats
- traceroute
- tunnel
- weird
- x509, update ecs.yml

* incorporate feedback

- fix indentation in fields files
- fix "fail_on_error" option in dns
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@andrewkroh andrewkroh andrewkroh approved these changes

Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@leehinman @elasticmachine @andrewkroh