Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[decode_cef] Allow int64 (instead of int32) for bytesIn, bytesOut #36100

Closed
andrewkroh opened this issue Jul 18, 2023 · 1 comment · Fixed by #36108
Closed

[decode_cef] Allow int64 (instead of int32) for bytesIn, bytesOut #36100

andrewkroh opened this issue Jul 18, 2023 · 1 comment · Fixed by #36108
Assignees
@efd6
Labels
enhancement Filebeat Filebeat :Processors

Comments

@andrewkroh
Copy link
Member

andrewkroh commented Jul 18, 2023
edited
Loading

Describe the enhancement:

The decode_cef processor is a fairly strict implementation of the Micro Focus Security ArcSight Common Event Format Version 25 specification. In this document the CEF specification declares in (aka bytesIn) and out (aka bytesOut) as Integer types.

Our parser could be more permissive and allow these fields to be treated as int64 values. It will be a slightly less strict implementation of the specification, but I think the spec should have originally marked these a Long types.

beats/x-pack/filebeat/processors/decode_cef/cef/keys.go

Lines 91 to 98 in 57d649d

"in": {
Target: "bytesIn",
Type: IntegerType,
},
"out": {
Target: "bytesOut",
Type: IntegerType,
},

Describe a specific use case for the enhancement or feature:

Network devices with counters will be able to pass values larger than 2 GiB.
@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Jul 18, 2023
@elasticmachine
Copy link
Collaborator

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Jul 18, 2023
@efd6 efd6 self-assigned this Jul 19, 2023
@efd6 efd6 mentioned this issue Jul 19, 2023
Merged
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@efd6 efd6

Labels
enhancement Filebeat Filebeat :Processors
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

x-pack/filebeat/processors/decode_def/cef: relax size constraint on network bytes efd6/beats
3 participants
@andrewkroh @elasticmachine @efd6