Fix Source IP "LOCAL" or "Unknown" in WInlogbeat Security Ingest Pipeline #34251
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This is a processor for parsing AWS VPC flow logs. It requires a user specified log format. It can populate the original flow log fields, ECS fields, or both.
Usage:
```yaml
processors:
- parse_aws_vpc_flow_log:
format: version account-id interface-id srcaddr dstaddr srcport dstport protocol packets bytes start end action log-status
- community_id: ~
```
Benchmark:
```
goos: darwin
goarch: arm64
pkg: github.com/elastic/beats/v7/x-pack/filebeat/processors/aws_vpcflow
BenchmarkProcessorRun/original-mode-v5-message-10 2810948 2138 ns/op 2836 B/op 31 allocs/op
BenchmarkProcessorRun/ecs-mode-v5-message-10 1914754 3107 ns/op 1908 B/op 41 allocs/op
BenchmarkProcessorRun/ecs_and_original-mode-v5-message-10 1693279 3538 ns/op 3076 B/op 41 allocs/op
```
Co-authored-by: Dan Kortschak <90160302+efd6@users.noreply.github.com>
(cherry picked from commit 1a86e42)
Co-authored-by: Andrew Kroh <andrew.kroh@elastic.co>
This was happening due to the error level logging when the log path matcher detected a `log.file.path` that does not start with a standard Docker container log folder `/var/lib/docker/containers` because AKS dropped support for Docker in September 2022 and switched to containerd. It looks like this message was not supposed to be on the error level in the first place since it just means that the matcher didn't match and it's not an error. But it was mistakenly promoted from the debug level in #16866 most likely because the message started with `Error` and looked confusing. This a partial fix to unblock our customers, but we still need to come up with the full AKS/containerd support in a follow up change. (cherry picked from commit 29f0b4c) Co-authored-by: Denis <denis.rechkunov@elastic.co>
Update the aws.vpcflow dataset in the AWS module to use the parse_aws_vpc_flow_log processor. I also updated the module to be aligned with ECS. It was not using valid event.category and event.type values. It will now produce `event.category: [network]`. And `event.type: [connection]` or `[connection, allowed]` or `[connection, denied]`. (cherry picked from commit 703d529) Co-authored-by: Andrew Kroh <andrew.kroh@elastic.co>
* [Heartbeat] Fix zip monitors by changing the check group after summary docs Fixes #33698 * Add null chuck * More robust check groups * Add nil check * Make linter happy * Remove accidental config * Fix heartbeat.yml * Update x-pack/heartbeat/monitors/browser/synthexec/enrich.go Co-authored-by: Emilio Alvarez Piñeiro <95703246+emilioalvap@users.noreply.github.com> * Add changelog Co-authored-by: Emilio Alvarez Piñeiro <95703246+emilioalvap@users.noreply.github.com> (cherry picked from commit 453dfcb) Co-authored-by: Andrew Cholakian <andrewvc@elastic.co>
…or (#33720) (#33780) Configs may be run in arbitrary order during tests, so make sure that the error is invariant with respect to the address and reason. This has no impact on the logic of the input in production. (cherry picked from commit 4f9aadc) Co-authored-by: Dan Kortschak <90160302+efd6@users.noreply.github.com>
The old tests were based on Debian Jessie released in April 2015 (end-of-life on June 30, 2020). We started having problems with expired GPG keys when installing dependencies in our Docker files. Also: * Add the missing MPM module and the `ServerName` directive for Apache. * Add retries to Logstash tests because they are flaky * Do not install mage v1.14.0 * Update elastic-agent-client version to avoid broken agent dependency (cherry picked from commit 4f639d7) Co-authored-by: Denis <denis.rechkunov@elastic.co>
The callback may be called with a nil RemoteAddr in the metadata parameter, so ensure that this is not nil before attempting to deference it. (cherry picked from commit 105fbda) Co-authored-by: Dan Kortschak <90160302+efd6@users.noreply.github.com>
) * Register the add_formatted_index as a usage processor for the processors list. * Re-add removed file. * Add changelog entry. * Add missing return in String(). * Change implementation to use a boolean. (cherry picked from commit 4c4eecf) Co-authored-by: Blake Rouse <blake.rouse@elastic.co>
…ng (#33872) Co-authored-by: apmmachine <infra-root-apmmachine@elastic.co>
* handle EOF on single line content * changelog * fallback to encode_eof if no events in aws-s3 input * lint * lint * collect on EOF in line reader * remove encode eof * remove iterN * fix test * increase test coverage * linting * more linting * increase coverage (cherry picked from commit 7b45320) Co-authored-by: Andrea Spacca <andrea.spacca@elastic.co>
see actions/setup-go#295 (cherry picked from commit 0105608) Co-authored-by: Victor Martinez <victormartinezrubio@gmail.com>
…3700) Co-authored-by: hxms <hxms@live.cn> Co-authored-by: DeDe Morton <dede.morton@elastic.co> (cherry picked from commit dc1a0ca) Co-authored-by: 冰天雪地 <hxmswl@gmail.com> Co-authored-by: Denis <denis.rechkunov@elastic.co> Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>
* Edit replace processor docs and publish them * Fix heading levels * Apply change from rdner Co-authored-by: Denis <denis@rdner.de> Co-authored-by: Denis <denis@rdner.de> (cherry picked from commit 9d87b62) Co-authored-by: DeDe Morton <dede.morton@elastic.co>
…ng (#33911) Co-authored-by: apmmachine <infra-root-apmmachine@elastic.co>
* Add support for excluded paths in packaging After an update in heartbeat we have have a path like `usr/share/heartbeat/.node/node/lib/node_modules/@elastic/synthetics/templates/lightweight/heartbeat.yml` which matches the `configFilePattern` which causes a permission check which the file does not satisfy. It has nothing to do with the actual heartbeat configuration file. * Fix linting issues * Fix one more linting issue (cherry picked from commit 3198a68) Co-authored-by: Denis <denis.rechkunov@elastic.co>
) Older versions of Debian have expired GPG keys. In this case `-y` is not enough and `apt-get` requires an additional `--force-yes`. (cherry picked from commit 6c0dc97) Co-authored-by: Denis <denis.rechkunov@elastic.co>
botelastic
bot
added
needs_team
MakoWish
requested review from
michalpristas and
blakerouse
and removed request for
a team
botelastic
bot
removed
the
needs_team
|
This pull request is now in conflicts. Could you fix it? 🙏 |
|
This pull request does not have a backport label.
To fixup this pull request, you need to add the backport labels for the needed
|
|
This pull request is now in conflicts. Could you fix it? 🙏 |
|
This pull request does not have a backport label.
To fixup this pull request, you need to add the backport labels for the needed
|
MakoWish
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What does this PR do?
Some security events contain a source IP address of "LOCAL" or "Unknown" which are not valid IP addresses. This PR will correct the processing of events containing one of those values.
Why is it important?
This bug causes mapping exceptions and prevents these events from being ingested.
Checklist
CHANGELOG.next.asciidocorCHANGELOG-developer.next.asciidoc.Related issues
-fixes #19627