Skip to content

Commit

Permalink
Improve ECS categorization mappings in envoyproxy module.
Browse files Browse the repository at this point in the history
- convert pipeline to yaml
- event.category
- event.kind
- event.outcome
- event.type
- network.protocol
- network.transport
- related.ip

Closes #16161
  • Loading branch information
leehinman committed May 8, 2020
1 parent c88f07f commit 0f7cd02
Show file tree
Hide file tree
Showing 14 changed files with 356 additions and 356 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.next.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -311,6 +311,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
- Improve ECS categorization field mappings in system module. {issue}16031[16031] {pull}18065[18065]
- Change the `json.*` input settings implementation to merge parsed json objects with existing objects in the event instead of fully replacing them. {pull}17958[17958]
- Improve ECS categorization field mappings in osquery module. {issue}16176[16176] {pull}17881[17881]
- Improve ECS categorization field mappings in envoyproxy module. {issue}16161[16161] {pull}18395[18395]

*Heartbeat*

Expand Down
47 changes: 0 additions & 47 deletions x-pack/filebeat/module/envoyproxy/log/ingest/pipeline-entry.json

This file was deleted.

47 changes: 47 additions & 0 deletions x-pack/filebeat/module/envoyproxy/log/ingest/pipeline-entry.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
description: Pipeline for normalizing envoyproxy logs
processors:
- pipeline:
if: ctx.message.charAt(0) != (char)("{")
name: '{< IngestPipeline "pipeline-plaintext" >}'
- pipeline:
if: ctx.message.charAt(0) == (char)("{")
name: '{< IngestPipeline "pipeline-json" >}'
- pipeline:
name: '{< IngestPipeline "pipeline-geo-as" >}'
- set:
field: event.created
value: '{{@timestamp}}'
- append:
field: related.ip
value: "{{source.ip}}"
if: "ctx?.source?.ip != null"
- append:
field: related.ip
value: "{{destination.ip}}"
if: "ctx?.destination?.ip != null"
- set:
field: event.kind
value: event
- append:
field: event.category
value: network
- append:
field: event.outcome
value: failure
if: "ctx?.envoyproxy?.response_flags != null"
- append:
field: event.outcome
value: success
if: "ctx?.envoyproxy?.response_flags == null"
- set:
field: '@timestamp'
value: '{{timestamp}}'
if: ctx.timestamp != null
- remove:
field:
- timestamp
ignore_failure: true
on_failure:
- set:
field: error.message
value: 'pipeline-entry: {{ _ingest.on_failure_message }}'
94 changes: 0 additions & 94 deletions x-pack/filebeat/module/envoyproxy/log/ingest/pipeline-http.json

This file was deleted.

61 changes: 61 additions & 0 deletions x-pack/filebeat/module/envoyproxy/log/ingest/pipeline-http.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,61 @@
description: Pipeline for normalizing envoy HTTP ACCESS logs
processors:
- script:
lang: painless
source: >-
ctx['http'] = new HashMap();
def p = ctx.proto.indexOf ('/');
def l = ctx.proto.length();
ctx.http.version = ctx.proto.substring(p+1, l);
ignore_failure: true
- rename:
field: method
target_field: http.request.method
- rename:
field: path
target_field: url.path
- convert:
field: response_code
type: long
- rename:
field: response_code
target_field: http.response.status_code
- rename:
field: bytes_received
target_field: http.response.body.bytes
- convert:
field: http.response.body.bytes
type: long
- rename:
field: bytes_sent
target_field: http.request.body.bytes
- convert:
field: http.request.body.bytes
type: long
- script:
lang: painless
source: ctx.envoyproxy.upstream_service_time = Math.round(Double.parseDouble(ctx.upstream_service_time) * params.scale)
params:
scale: 1000000
if: ctx.upstream_service_time != null && ctx.upstream_service_time != '-'
- set:
field: envoyproxy.proxy_type
value: http
- set:
field: url.domain
value: '{{envoyproxy.authority}}'
- user_agent:
field: user_agent.original
ignore_missing: true
- append:
field: event.type
value:
- connection
- protocol
- set:
field: network.protocol
value: http
on_failure:
- set:
field: error.message
value: 'pipeline-http: {{ _ingest.on_failure_message }}'
47 changes: 0 additions & 47 deletions x-pack/filebeat/module/envoyproxy/log/ingest/pipeline-json.json

This file was deleted.

26 changes: 26 additions & 0 deletions x-pack/filebeat/module/envoyproxy/log/ingest/pipeline-json.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
description: Pipeline for normalizing envoyproxy access logs
processors:
- json:
field: message
target_field: json
- remove:
field:
- message
ignore_failure: true
- rename:
field: json.message
target_field: message
ignore_failure: true
- rename:
field: json.kubernetes
target_field: kubernetes
ignore_failure: true
- remove:
field:
- json
- pipeline:
name: '{< IngestPipeline "pipeline-plaintext" >}'
on_failure:
- set:
field: error.message
value: 'pipeline-json: {{ _ingest.on_failure_message }}'
Loading

0 comments on commit 0f7cd02

Please sign in to comment.