Update Zeek DNS pipeline with ECS DNS fields #13324
Conversation
| function addDnsAnswers(evt) { | ||
| var answers = evt.Get("zeek.dns.answers"); | ||
| var ttls = evt.Get("zeek.dns.TTLs"); | ||
| if (!answers || !ttls || answers.length != ttls.length) { |
There was a problem hiding this comment.
I would hope that doesn't happen, but good check.
But if it does happen, I would suggest appending an error message to that effect to error.message instead of just returning.
Not a blocker, though. Can also be improved later.
There was a problem hiding this comment.
I think I'll wait on this. I'd like to find out how common of a condition this will be.
x-pack/filebeat/module/zeek/dns/test/dns-json.log-expected.json
Outdated
Show resolved
Hide resolved
|
Test failures seem caused by cisco module (ASA?) cc @adriansr |
andrewkroh
force-pushed
the
feature/fb/zeek-dns-ecs
branch
from
565da97 to
a59ff94
Compare
|
Pinging @elastic/siem |
andrewkroh
changed the title
There was a problem hiding this comment.
LGTM, once changelog is rebased.
Jenkins appears to be flakiness (winlogbeat and libbeat).
Not sure about Travis CI failing in Filebeat:
======================================================================
ERROR: Test stopping filebeat under load: wait for all events being published.
----------------------------------------------------------------------
Traceback (most recent call last):
File "/go/src/github.com/elastic/beats/filebeat/tests/system/test_shutdown.py", line 57, in test_shutdown_wait_ok
max_timeout=15)
File "/go/src/github.com/elastic/beats/filebeat/tests/system/../../../libbeat/tests/system/beat/beat.py", line 387, in wait_log_contains
name=name)
File "/go/src/github.com/elastic/beats/filebeat/tests/system/../../../libbeat/tests/system/beat/beat.py", line 352, in wait_until
"Waited {} seconds.".format(max_timeout))
TimeoutError: Timeout waiting for 'log_contains' to be true. Waited 15 seconds.
----------------------------------------------------------------------
XML: /go/src/github.com/elastic/beats/filebeat/build/TEST-system.xml
[success] 16.36% test_autodiscover.TestAutodiscover.test_default_settings: 85.2112s
[success] 7.96% test_autodiscover.TestAutodiscover.test_docker: 41.4820s
[error] 4.88% test_shutdown.Test.test_shutdown_wait_ok: 25.4172s
This adds ECS DNS fields to the Zeek DNS fileset (but does not change or remove any existing ones). Relates elastic#13320
Use event.original Remove Z flag Add registered_domain Ensure destination.port is a long
andrewkroh
force-pushed
the
feature/fb/zeek-dns-ecs
branch
from
b240c32 to
ca81c60
Compare
|
It looks like flakiness in unrelated tests. I rebased it to fix the merge conflicts so we'll get another run of CI and check the results again. |
|
Should we still fill |
This adds ECS DNS fields to the Zeek DNS fileset (but does not change or remove any existing ones).
Relates #13320
Needs: