From 9fc68ae1ddfef4ac3458ed40ce6880fbf3613803 Mon Sep 17 00:00:00 2001 From: Lee Hinman <57081003+leehinman@users.noreply.github.com> Date: Thu, 17 Dec 2020 16:48:25 -0600 Subject: [PATCH] simplify regex for org & custom prefix in aws/cloudtrail (#23204) - only match on /CloudTrail/, /CloudTrail-Digest/ and /CloudTrail-Insight/, ignore variable prefix Closes #23203 (cherry picked from commit 6935dc6c5ec4576e667040a0da39d71aaf465c59) --- CHANGELOG.next.asciidoc | 1 + x-pack/filebeat/module/aws/cloudtrail/config/s3.yml | 6 +++--- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 7003f36429d..2a5fff6922b 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -246,6 +246,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Fix bad `network.direction` values in Fortinet/firewall fileset. {pull}23072[23072] - Fix Cisco ASA/FTD module's parsing of WebVPN log message 716002. {pull}22966[22966] - Add support for organization and custom prefix in AWS/CloudTrail fileset. {issue}23109[23109] {pull}23126[23126] +- Simplify regex for organization custom prefix in AWS/CloudTrail fileset. {issue}23203[23203] {pull}23204[23204] *Heartbeat* diff --git a/x-pack/filebeat/module/aws/cloudtrail/config/s3.yml b/x-pack/filebeat/module/aws/cloudtrail/config/s3.yml index ecc73ba5365..16b8bc5eec2 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/config/s3.yml +++ b/x-pack/filebeat/module/aws/cloudtrail/config/s3.yml @@ -2,16 +2,16 @@ type: s3 queue_url: {{ .queue_url }} file_selectors: {{ if .process_cloudtrail_logs }} - - regex: 'AWSLogs/\d+/CloudTrail/' + - regex: '/CloudTrail/' expand_event_list_from_field: 'Records' {{ end }} {{ if .process_digest_logs }} - - regex: 'AWSLogs/\d+/CloudTrail-Digest/' + - regex: '/CloudTrail-Digest/' {{ end }} {{ if .process_insight_logs }} - - regex: 'AWSLogs/\d+/CloudTrail-Insight/' + - regex: '/CloudTrail-Insight/' expand_event_list_from_field: 'Records' {{ end }}