Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

system.auth - sync pipeline with Fleet integration #32360

Merged
merged 5 commits into from
Jul 20, 2022
Merged

system.auth - sync pipeline with Fleet integration #32360

merged 5 commits into from
Jul 20, 2022

Conversation

andrewkroh
Copy link
Member

@andrewkroh andrewkroh commented Jul 14, 2022
edited
Loading

What does this PR do?

Sync the pipeline for the system.auth dataset with the Fleet integration
from elastic/integrations#3705.

This removes the event.type authentication_failed and authentication_success
values which are not allowed as per ECS. You can use event.category: authentication
and event.outcome: success/failure to query instead.

Why is it important?

This should make the pipeline more efficient and it aligns the event.type field to ECS.

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works
  • I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Related issues

@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Jul 14, 2022
@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Jul 14, 2022
@andrewkroh andrewkroh added the backport-7.17 Automated backport to the 7.17 branch with mergify label Jul 14, 2022
@elasticmachine
Copy link
Collaborator

elasticmachine commented Jul 14, 2022
edited by jenkins-beats-ci bot
Loading

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS
Pipeline View Test View Changes Artifacts preview preview

Expand to view the summary

Build stats

  • Start Time: 2022-07-19T20:22:30.336+0000

  • Duration: 77 min 39 sec

Test stats 🧪

Test Results
Failed 0
Passed 6316
Skipped 737
Total 7053

💚 Flaky test report

Tests succeeded.

🤖 GitHub comments

To re-run your PR in the CI, just comment with:

  • /test : Re-trigger the build.

  • /package : Generate the packages and run the E2E tests.

  • /beats-tester : Run the installation tests with beats-tester.

  • run elasticsearch-ci/docs : Re-trigger the docs validation. (use unformatted text in the comment!)

@mergify
Copy link
Contributor

mergify bot commented Jul 19, 2022

This pull request is now in conflicts. Could you fix it? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b feature/fb/system-auth-sync upstream/feature/fb/system-auth-sync
git merge upstream/main
git push upstream feature/fb/system-auth-sync

@andrewkroh
system.auth - sync pipeline with Fleet integration
8fadb43 
Sync the pipeline for the system.auth dataset with the Fleet integration
from elastic/integrations#3705.

This removes the event.type authentication_failed and authentication_success
values which are not allowed as per ECS. You can use event.category: authentication
and event.outcome: success/failure to query instead.
@andrewkroh
Add changelog
f23c582
@andrewkroh
Format GREEDYMULTILINE pattern
0586402
@andrewkroh
Replace set/remove with rename
f468b2a
@andrewkroh andrewkroh force-pushed the feature/fb/system-auth-sync branch from 9f22768 to f468b2a Compare July 19, 2022 20:20
@andrewkroh andrewkroh marked this pull request as ready for review July 19, 2022 20:22
@andrewkroh andrewkroh requested a review from a team as a code owner July 19, 2022 20:22
@andrewkroh andrewkroh requested review from belimawr and cmacknz and removed request for a team July 19, 2022 20:22
@elasticmachine
Copy link
Collaborator

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

@elasticmachine
Copy link
Collaborator

Pinging @elastic/elastic-agent-data-plane (Team:Elastic-Agent-Data-Plane)

@andrewkroh andrewkroh merged commit 475dd7e into elastic:main Jul 20, 2022
mergify bot pushed a commit that referenced this pull request Jul 20, 2022
@andrewkroh @mergify
system.auth - sync pipeline with Fleet integration (#32360)
186ce93 
Sync the pipeline for the system.auth dataset with the Fleet integration
from elastic/integrations#3705.

This removes the event.type authentication_failed and authentication_success
values which are not allowed as per ECS. You can use event.category: authentication
and event.outcome: success/failure to query instead.

(cherry picked from commit 475dd7e)
@mergify mergify bot mentioned this pull request Jul 20, 2022
Merged
andrewkroh added a commit that referenced this pull request Jul 26, 2022
@mergify @andrewkroh
[7.17](backport #32360) system.auth - sync pipeline with Fleet integr…
03ded87 
…ation (#32422)

* system.auth - sync pipeline with Fleet integration (#32360)

Sync the pipeline for the system.auth dataset with the Fleet integration
from elastic/integrations#3705.

This removes the event.type authentication_failed and authentication_success
values which are not allowed as per ECS. You can use event.category: authentication
and event.outcome: success/failure to query instead.

(cherry picked from commit 475dd7e)

* Update go-ucfg to v0.8.6

The module tests were failing because the empty tags array was being discarded
resulting in the tags value being treated as `nil`. And this was not being accepted as
a valid type for the inList function.

The cause was elastic/go-ucfg#188.

* Fix tests affected by go-ucfg upgrade

Backport fix from 0022ea4.

Co-authored-by: Andrew Kroh <andrew.kroh@elastic.co>
@andrewkroh andrewkroh mentioned this pull request Jul 27, 2022
Merged
4 tasks
@brsolomon-deloitte
Copy link
Contributor

@andrewkroh this PR has broken Filebeat->Logstash->Elasticsearch for system.auth, please see

and consider reverting to use message as the grok source rather than event.original.

@faec faec mentioned this pull request Apr 4, 2023
Open
chrisberkhout pushed a commit that referenced this pull request Jun 1, 2023
@andrewkroh @chrisberkhout
system.auth - sync pipeline with Fleet integration (#32360)
66f33d7 
Sync the pipeline for the system.auth dataset with the Fleet integration
from elastic/integrations#3705.

This removes the event.type authentication_failed and authentication_success
values which are not allowed as per ECS. You can use event.category: authentication
and event.outcome: success/failure to query instead.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@belimawr belimawr belimawr approved these changes

@cmacknz cmacknz Awaiting requested review from cmacknz cmacknz is a code owner automatically assigned from elastic/elastic-agent-data-plane

Assignees

@andrewkroh andrewkroh

Labels
backport-7.17 Automated backport to the 7.17 branch with mergify enhancement Filebeat Filebeat Team:Elastic-Agent-Data-Plane Label for the Agent Data Plane team
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@andrewkroh @elasticmachine @brsolomon-deloitte @belimawr