-
Notifications
You must be signed in to change notification settings - Fork 4.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
filebeat module juniper having bug in painless script #22595
Comments
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
Let me just reopen that because I think there is still reason in fixing this. |
@111andre111 Is there a specific failure that you are seeing? The code corresponding to the original report looks correct in the current tip. |
Ok, yes @efd6 you are right. It seems this came in with this PR: #23035 However I don't understand, why the server.domain part is completely gone since this PR.
|
Yeah, I saw that. I'm afraid I don't know the answer to that, it was before my time. It is worth noting though that the code that is there now is autogenerated using the rsa2elk tool, so that could be part of it. |
OK, I have an answer; it is done in the js, here. |
Ah, yes. You are right @efd6 . Thank you. |
At the moment there is a bug in the painless lines of juniper module in filebeat junos fileset:
https://www.elastic.co/guide/en/beats/filebeat/7.10/filebeat-module-juniper.html
in lines
https://github.com/elastic/beats/blob/v7.10.0/x-pack/filebeat/module/juniper/junos/ingest/pipeline.yml#L60
https://github.com/elastic/beats/blob/v7.10.0/x-pack/filebeat/module/juniper/junos/ingest/pipeline.yml#L65
These produce an error in Elasticsearch painless error:
Result of null safe operator must be nullable
and go back to this fact:
https://www.elastic.co/guide/en/elasticsearch/painless/7.10/painless-operators-reference.html#null-safe-operator
So a workaround for now is changing these file lines in the filebeat filesystem:
file
module/juniper/junos/ingest/pipeline.yml
line 60 change
if: ctx?.host?.hostname && ctx.host?.hostname != ''
to
if: ctx?.host?.hostname != null && ctx.host.hostname != ''
line 65 change
if: ctx?.server?.domain && ctx.server?.domain != ''
to
if: ctx?.server?.domain != null && ctx.server.domain != ''
The text was updated successfully, but these errors were encountered: