Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

filebeat module juniper having bug in painless script #22595

Closed
111andre111 opened this issue Nov 16, 2020 · 8 comments
Closed

filebeat module juniper having bug in painless script #22595

111andre111 opened this issue Nov 16, 2020 · 8 comments

Comments

@111andre111
Copy link
Contributor

111andre111 commented Nov 16, 2020

At the moment there is a bug in the painless lines of juniper module in filebeat junos fileset:
https://www.elastic.co/guide/en/beats/filebeat/7.10/filebeat-module-juniper.html
in lines
https://github.com/elastic/beats/blob/v7.10.0/x-pack/filebeat/module/juniper/junos/ingest/pipeline.yml#L60
https://github.com/elastic/beats/blob/v7.10.0/x-pack/filebeat/module/juniper/junos/ingest/pipeline.yml#L65

These produce an error in Elasticsearch painless error:
Result of null safe operator must be nullable
and go back to this fact:
https://www.elastic.co/guide/en/elasticsearch/painless/7.10/painless-operators-reference.html#null-safe-operator

So a workaround for now is changing these file lines in the filebeat filesystem:
file module/juniper/junos/ingest/pipeline.yml
line 60 change
if: ctx?.host?.hostname && ctx.host?.hostname != ''
to
if: ctx?.host?.hostname != null && ctx.host.hostname != ''
line 65 change
if: ctx?.server?.domain && ctx.server?.domain != ''
to
if: ctx?.server?.domain != null && ctx.server.domain != ''

@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Nov 16, 2020
@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Nov 16, 2020
@elasticmachine
Copy link
Collaborator

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

@botelastic
Copy link

botelastic bot commented Oct 17, 2021

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@botelastic botelastic bot added the Stalled label Oct 17, 2021
@botelastic botelastic bot closed this as completed Nov 16, 2021
@111andre111
Copy link
Contributor Author

Let me just reopen that because I think there is still reason in fixing this.

@111andre111 111andre111 reopened this Nov 16, 2021
@botelastic botelastic bot removed the Stalled label Nov 16, 2021
@efd6
Copy link
Contributor

efd6 commented Jan 6, 2022

@111andre111 Is there a specific failure that you are seeing? The code corresponding to the original report looks correct in the current tip.

@111andre111
Copy link
Contributor Author

111andre111 commented Jan 6, 2022

Ok, yes @efd6 you are right. It seems this came in with this PR: #23035

However I don't understand, why the server.domain part is completely gone since this PR.
Do you possibly know any reason for that?

  - append:
        field: related.hosts
        value: '{{server.domain}}'
        allow_duplicates: false
        if: ctx?.server?.domain && ctx.server?.domain != ''

https://github.com/elastic/beats/blob/v7.10.0/x-pack/filebeat/module/juniper/junos/ingest/pipeline.yml#L61-L65

@efd6
Copy link
Contributor

efd6 commented Jan 6, 2022

Yeah, I saw that. I'm afraid I don't know the answer to that, it was before my time. It is worth noting though that the code that is there now is autogenerated using the rsa2elk tool, so that could be part of it.

@efd6
Copy link
Contributor

efd6 commented Jan 6, 2022

OK, I have an answer; it is done in the js, here.

@111andre111
Copy link
Contributor Author

111andre111 commented Jan 6, 2022

Ah, yes. You are right @efd6 . Thank you.
So in this case it seems everything is covered from this issue now and I go ahead and close this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

4 participants