Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Filebeat] Explicitly set ECS version in Filebeat modules. #19198

Merged
merged 3 commits into from
Jun 16, 2020
Merged
Show file tree
Hide file tree
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions CHANGELOG.next.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -397,6 +397,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
- The s3 input can now automatically detect gzipped objects. {issue}18283[18283] {pull}18764[18764]
- Add geoip AS lookup & improve ECS categorization in aws cloudtrail fileset. {issue}18644[18644] {pull}18958[18958]
- Improved performance of PANW sample dashboards. {issue}19031[19031] {pull}19032[19032]
- Explicitly set ECS version in all Filebeat modules. {pull}19198[19198]

*Heartbeat*

Expand Down
5 changes: 5 additions & 0 deletions filebeat/module/traefik/access/config/traefik-access.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,3 +4,8 @@ paths:
- {{$path}}
{{ end }}
exclude_files: [".gz$"]
processors:
- add_fields:
target: ''
fields:
ecs.version: 1.5.0
2 changes: 2 additions & 0 deletions filebeat/tests/system/test_modules.py
Original file line number Diff line number Diff line change
Expand Up @@ -109,6 +109,8 @@ def test_fileset_file(self, module, fileset, test_file):
def run_on_file(self, module, fileset, test_file, cfgfile):
print("Testing {}/{} on {}".format(module, fileset, test_file))

self.assert_explicit_ecs_version_set(module, fileset)

try:
self.es.indices.delete(index=self.index_name)
except:
Expand Down
32 changes: 32 additions & 0 deletions libbeat/tests/system/beat/beat.py
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@
import yaml
import hashlib
import re
import glob
from datetime import datetime, timedelta

from .compose import ComposeMixin
Expand Down Expand Up @@ -722,3 +723,34 @@ def get_beat_version(self):
proc.wait()

return self.get_log_lines(logfile="version")[0].split()[2]

def assert_explicit_ecs_version_set(self, module, fileset):
"""
Assert that the module explicitly sets the ECS version field.
"""
def get_config_paths(modules_path, module, fileset):
pathname = os.path.abspath(modules_path +
"/" +
module +
"/" +
fileset +
"/" +
"config/*.yml")
return glob.glob(pathname)

def is_ecs_version_set(path):
# parsing the yml file would be better but go templates in
# the file make that difficult
with open(path) as fhandle:
for line in fhandle:
if re.search("ecs\.version", line):
return True
return False

errors = []
for cfg_path in get_config_paths(self.modules_path, module, fileset):
if not is_ecs_version_set(cfg_path):
errors.append("{}".format(cfg_path))
if len(errors) > 0:
raise Exception("{}/{} ecs.version not explicitly set in:\n{}".format(module, fileset, '\n'.join(errors)))

Original file line number Diff line number Diff line change
Expand Up @@ -8,3 +8,8 @@ resource_manager_endpoint: {{ .resource_manager_endpoint }}
tags: {{.tags | tojson}}
publisher_pipeline.disable_host: {{ inList .tags "forwarded" }}

processors:
- add_fields:
target: ''
fields:
ecs.version: 1.5.0
6 changes: 6 additions & 0 deletions x-pack/filebeat/module/azure/activitylogs/config/file.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,3 +6,9 @@ paths:
exclude_files: [".gz$"]
tags: {{.tags | tojson}}
publisher_pipeline.disable_host: {{ inList .tags "forwarded" }}

processors:
- add_fields:
target: ''
fields:
ecs.version: 1.5.0
Original file line number Diff line number Diff line change
Expand Up @@ -7,3 +7,8 @@ storage_account_key: {{ .storage_account_key }}
resource_manager_endpoint: {{ .resource_manager_endpoint }}
tags: {{.tags | tojson}}
publisher_pipeline.disable_host: {{ inList .tags "forwarded" }}
processors:
- add_fields:
target: ''
fields:
ecs.version: 1.5.0
5 changes: 5 additions & 0 deletions x-pack/filebeat/module/azure/auditlogs/config/file.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,3 +6,8 @@ paths:
exclude_files: [".gz$"]
tags: {{.tags | tojson}}
publisher_pipeline.disable_host: {{ inList .tags "forwarded" }}
processors:
- add_fields:
target: ''
fields:
ecs.version: 1.5.0
Original file line number Diff line number Diff line change
Expand Up @@ -7,3 +7,8 @@ storage_account_key: {{ .storage_account_key }}
resource_manager_endpoint: {{ .resource_manager_endpoint }}
tags: {{.tags | tojson}}
publisher_pipeline.disable_host: {{ inList .tags "forwarded" }}
processors:
- add_fields:
target: ''
fields:
ecs.version: 1.5.0
5 changes: 5 additions & 0 deletions x-pack/filebeat/module/azure/signinlogs/config/file.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,3 +6,8 @@ paths:
exclude_files: [".gz$"]
tags: {{.tags | tojson}}
publisher_pipeline.disable_host: {{ inList .tags "forwarded" }}
processors:
- add_fields:
target: ''
fields:
ecs.version: 1.5.0
Original file line number Diff line number Diff line change
Expand Up @@ -20,3 +20,7 @@ publisher_pipeline.disable_host: {{ inList .tags "forwarded" }}

processors:
- add_locale: ~
- add_fields:
target: ''
fields:
ecs.version: 1.5.0
4 changes: 4 additions & 0 deletions x-pack/filebeat/module/crowdstrike/falcon/config/falcon.yml
Original file line number Diff line number Diff line change
Expand Up @@ -20,3 +20,7 @@ processors:
lang: javascript
id: crowdstrike_falcon
file: ${path.home}/module/crowdstrike/falcon/config/pipeline.js
- add_fields:
target: ''
fields:
ecs.version: 1.5.0
4 changes: 4 additions & 0 deletions x-pack/filebeat/module/fortinet/firewall/config/firewall.yml
Original file line number Diff line number Diff line change
Expand Up @@ -24,3 +24,7 @@ tags: {{.tags}}

processors:
- add_locale: ~
- add_fields:
target: ''
fields:
ecs.version: 1.5.0