[Winlogbeat] Switch to ingest node processing #29435
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
botelastic
bot
added
the
needs_team
|
This pull request does not have a backport label. Could you fix it @leehinman? 🙏
NOTE: |
mergify
bot
added
the
backport-skip
💚 Flaky test reportTests succeeded. 🤖 GitHub commentsTo re-run your PR in the CI, just comment with:
|
leehinman
added
backport-v8.0.0
botelastic
bot
removed
the
needs_team
mergify
bot
removed
the
backport-skip
leehinman
force-pushed
the
winlogbeat_pipelines
branch
from
98c4e77 to
2f3b0c5
Compare
|
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
winlogbeat/module/pipeline.go
Outdated
| } | ||
| f, err := os.Create(filepath.Join(directory, pipeline.id+".json")) | ||
| if err != nil { | ||
| return fmt.Errorf("unable to create file to export pipeline to: %+v", err) |
There was a problem hiding this comment.
Do we want to use %w here for the error so it gets wrapped? Same applies for other instances below.
There was a problem hiding this comment.
good idea, I switched them.
leehinman
force-pushed
the
winlogbeat_pipelines
branch
from
2f3b0c5 to
646b91d
Compare
andrewkroh
reviewed
Dec 20, 2021
winlogbeat/beater/winlogbeat.go
Outdated
|
|
||
| "github.com/elastic/beats/v7/winlogbeat/checkpoint" | ||
| "github.com/elastic/beats/v7/winlogbeat/config" | ||
| "github.com/elastic/beats/v7/winlogbeat/eventlog" | ||
| ) | ||
|
|
||
| const pipelinesWarning = "Winlogbeat is unable to load the ingest pipelines" + | ||
| " because the Elasticsearch output is not configured/enabled. If you have" + | ||
| " already loaded the ingest pipelines or are using Logstash pipelines, you" + |
There was a problem hiding this comment.
or are using Logstash pipelines
This was probably copied from Filebeat. I don't think it should mention Logstash pipelines.
- remove JS processing - remove testing of JS processing - add ingest node pipelines from agent - use routing pipeline to direct to correct module pipeline - embed pipelines in winlogbeat executable - add `export pipeline` command - add loading of pipelines to setup command - add loading of pipelines to every ES connection if the pipelines don't exist - exports several functions from filebeat/fileset to avoid code duplication - update docs - update default config - update reference config Closes elastic#29184
Co-authored-by: Andrew Kroh <[email protected]>
Co-authored-by: Andrew Kroh <[email protected]>
Co-authored-by: Andrew Kroh <[email protected]>
Co-authored-by: Andrew Kroh <[email protected]>
Co-authored-by: Andrew Kroh <[email protected]>
- remove reference to Logstash pipelines - cleanup grammar in godoc - move logger creation
- always honor winlogbeat.overwrite_pipelines - switch to prefix-version-short_id for pipeline ids
leehinman
force-pushed
the
winlogbeat_pipelines
branch
from
61dd69b to
383c80d
Compare
efd6
reviewed
Jan 3, 2022
|
I'll merge this when it goes green. |
andrewkroh
added
breaking change
release-note:breaking
mergify bot
pushed a commit
that referenced
this pull request
Jan 4, 2022
What does this PR do? Switches to ingest node processing instead of local javascript processing for modules. Why is it important? For Agent we are using ingest node processing. This keeps the Winlogbeat and Agent processing in sync and allows bug fixes to be shared between them. Changes - remove JS processing - remove testing of JS processing - add ingest node pipelines from agent - use routing pipeline to direct to correct module pipeline - embed pipelines in winlogbeat executable - add `export pipeline` command - add loading of pipelines to setup command - add loading of pipelines to every ES connection if the pipelines don't exist - exports several functions from filebeat/fileset to avoid code duplication - update docs - update default config - update reference config Closes #29184 (cherry picked from commit a3c2208)
|
This looks like a big blow to the Logstash users out there. Is the local processing being removed entirely? This would put in a very challenging barrier to upgrade for the users that rely on Logstash for all enrichment before sending to Elasticsearch. The move makes sense but it will be great to have a plan for those who need to migrate away from heavy Logstash use. One simple use case is that specific logs are tagged and indexed based on preparsed data from Winlogbeat. Maybe that will go away with data streams but it is without question users will be forced to use ingest pipelines to match current enrichment capabilities and they hope the ingest pipelines have the functionality needed to reproduce what Logstash can without adding complexity to the stack. Also, I am wondering what this processing performance will look like as it goes from the individual systems to centralizing it on ingest nodes. When talking 10k+ or 100k+ winlogbeat agents, how much ingest processing will be needed since the decentralized processing goes away. This is just my current reaction to what I can understand from this issue. Great capabilities regardless. |
andrewkroh
pushed a commit
that referenced
this pull request
Jan 4, 2022
What does this PR do? Switches to ingest node processing instead of local javascript processing for modules. Why is it important? For Agent we are using ingest node processing. This keeps the Winlogbeat and Agent processing in sync and allows bug fixes to be shared between them. Changes - remove JS processing - remove testing of JS processing - add ingest node pipelines from agent - use routing pipeline to direct to correct module pipeline - embed pipelines in winlogbeat executable - add `export pipeline` command - add loading of pipelines to setup command - add loading of pipelines to every ES connection if the pipelines don't exist - exports several functions from filebeat/fileset to avoid code duplication - update docs - update default config - update reference config Closes #29184 (cherry picked from commit a3c2208) Co-authored-by: Lee E Hinman <[email protected]>
|
Hi there. Just a question. Would it not make sense to add the ECS field |
|
@herrBez Please open a new issue. 👍 |
efd6
added a commit
to efd6/beats
that referenced
this pull request
May 1, 2022
This brings partially processed event data from a modified version of the testing code at 8896fd3 (the commit immediately prior to the removal of the javascript processing pipeline in elastic#29435: commit at 2f3b0c5cbe9cfdd10e11fd52e2a259e564001100). The evtx.golden.json files were generated by removing the js processing call at https://github.com/elastic/beats/blob/8896fd319a257f3e0783119a7dd8d0978ef62197/x-pack/winlogbeat/module/testing_windows.go#L132-L135 to match the code in that file as it appears here and then run go test -update in x-pack/winlogbeat/module/{powershell,security,sysmon}/test on a windows 2019 host. The test package for each of the modules is also resurrected with modifications reflecting the loss of the javascript processor. Tests in x-pack/winlogbeat/module/{security,sysmon}/test fail in this commit.
efd6
added a commit
that referenced
this pull request
May 3, 2022
This is a moderately involved change. The process is described in the steps below, but the reader should refer to the commits in the PR to see exactly what was done and when. * port forward semi-processed events for tests This brings partially processed event data from a modified version of the testing code at 8896fd3 (the commit immediately prior to the removal of the javascript processing pipeline in #29435: commit at 2f3b0c5cbe9cfdd10e11fd52e2a259e564001100). The evtx.golden.json files were generated by removing the js processing call at https://github.com/elastic/beats/blob/8896fd319a257f3e0783119a7dd8d0978ef62197/x-pack/winlogbeat/module/testing_windows.go#L132-L135 to match the code in that file as it appears here and then run go test -update in x-pack/winlogbeat/module/{powershell,security,sysmon}/test on a windows 2019 host. The test package for each of the modules is also resurrected with modifications reflecting the loss of the javascript processor. Tests in x-pack/winlogbeat/module/{security,sysmon}/test fail in this commit. * make sure metadata is available for enrichment of raw values This fixes failing tests in x-pack/winlogbeat/module/security/test, but tests in sysmon continue to fail because sysmon-11-filedeletedetected.evtx was added in 33acb3c (2022-01-25) after the origin of the forward port origin (2021-12-02). * update golden file for sysmon-11-filedeletedetected.evtx * ignore opcode field on Windows 2022 Also prohibit generating golden files for PowerShell on Windows 2022 to prevent unnecessary work in discovering that this will fail on other versions. * defer event field filtering until value comparison This will result in additional diff noise if golden values are generated on multiple versions of windows so it may be worth keeping the version used reasonably constant. The version used here was 2019.
mergify bot
pushed a commit
that referenced
this pull request
May 3, 2022
This is a moderately involved change. The process is described in the steps below, but the reader should refer to the commits in the PR to see exactly what was done and when. * port forward semi-processed events for tests This brings partially processed event data from a modified version of the testing code at 8896fd3 (the commit immediately prior to the removal of the javascript processing pipeline in #29435: commit at 2f3b0c5cbe9cfdd10e11fd52e2a259e564001100). The evtx.golden.json files were generated by removing the js processing call at https://github.com/elastic/beats/blob/8896fd319a257f3e0783119a7dd8d0978ef62197/x-pack/winlogbeat/module/testing_windows.go#L132-L135 to match the code in that file as it appears here and then run go test -update in x-pack/winlogbeat/module/{powershell,security,sysmon}/test on a windows 2019 host. The test package for each of the modules is also resurrected with modifications reflecting the loss of the javascript processor. Tests in x-pack/winlogbeat/module/{security,sysmon}/test fail in this commit. * make sure metadata is available for enrichment of raw values This fixes failing tests in x-pack/winlogbeat/module/security/test, but tests in sysmon continue to fail because sysmon-11-filedeletedetected.evtx was added in 33acb3c (2022-01-25) after the origin of the forward port origin (2021-12-02). * update golden file for sysmon-11-filedeletedetected.evtx * ignore opcode field on Windows 2022 Also prohibit generating golden files for PowerShell on Windows 2022 to prevent unnecessary work in discovering that this will fail on other versions. * defer event field filtering until value comparison This will result in additional diff noise if golden values are generated on multiple versions of windows so it may be worth keeping the version used reasonably constant. The version used here was 2019. (cherry picked from commit f22abe3) # Conflicts: # x-pack/winlogbeat/module/security/test/testdata/security-windows2019_4688_Process_Created.evtx.golden.json # x-pack/winlogbeat/module/testing_windows.go
efd6
added a commit
that referenced
this pull request
May 3, 2022
…t processing (#31491) * {,x-pack/}winlogbeat: resurrect tests for event processing (#31464) This is a moderately involved change. The process is described in the steps below, but the reader should refer to the commits in the PR to see exactly what was done and when. * port forward semi-processed events for tests This brings partially processed event data from a modified version of the testing code at 8896fd3 (the commit immediately prior to the removal of the javascript processing pipeline in #29435: commit at 2f3b0c5cbe9cfdd10e11fd52e2a259e564001100). The evtx.golden.json files were generated by removing the js processing call at https://github.com/elastic/beats/blob/8896fd319a257f3e0783119a7dd8d0978ef62197/x-pack/winlogbeat/module/testing_windows.go#L132-L135 to match the code in that file as it appears here and then run go test -update in x-pack/winlogbeat/module/{powershell,security,sysmon}/test on a windows 2019 host. The test package for each of the modules is also resurrected with modifications reflecting the loss of the javascript processor. Tests in x-pack/winlogbeat/module/{security,sysmon}/test fail in this commit. * make sure metadata is available for enrichment of raw values This fixes failing tests in x-pack/winlogbeat/module/security/test, but tests in sysmon continue to fail because sysmon-11-filedeletedetected.evtx was added in 33acb3c (2022-01-25) after the origin of the forward port origin (2021-12-02). * update golden file for sysmon-11-filedeletedetected.evtx * ignore opcode field on Windows 2022 Also prohibit generating golden files for PowerShell on Windows 2022 to prevent unnecessary work in discovering that this will fail on other versions. * defer event field filtering until value comparison This will result in additional diff noise if golden values are generated on multiple versions of windows so it may be worth keeping the version used reasonably constant. The version used here was 2019. (cherry picked from commit f22abe3) # Conflicts: # x-pack/winlogbeat/module/security/test/testdata/security-windows2019_4688_Process_Created.evtx.golden.json # x-pack/winlogbeat/module/testing_windows.go * fix conflict scars * silence bad linter Co-authored-by: Dan Kortschak <[email protected]> Co-authored-by: Dan Kortschak <[email protected]>
|
@leehinman Does this mean users that use agent module javascript processors before forwarding to logstash are no longer supported? |
That is what I believe since in the latest version (8.2.2) of the Winlogbeat download (zip) they no longer include the javascript modules to parse the data on ingest pipelines for Elastic ingest nodes. :( |
|
@ag-michael Yes, that is correct. |
|
Yes the javascript modules are no longer in the zip, I just happened to figure it as I upgraded an agent today. I imported the module folder from an other agent and it works, this way I can still use logstas as my front-end for my agents. |
chrisberkhout
pushed a commit
that referenced
this pull request
Jun 1, 2023
This is a moderately involved change. The process is described in the steps below, but the reader should refer to the commits in the PR to see exactly what was done and when. * port forward semi-processed events for tests This brings partially processed event data from a modified version of the testing code at 8896fd3 (the commit immediately prior to the removal of the javascript processing pipeline in #29435: commit at 2f3b0c5cbe9cfdd10e11fd52e2a259e564001100). The evtx.golden.json files were generated by removing the js processing call at https://github.com/elastic/beats/blob/8896fd319a257f3e0783119a7dd8d0978ef62197/x-pack/winlogbeat/module/testing_windows.go#L132-L135 to match the code in that file as it appears here and then run go test -update in x-pack/winlogbeat/module/{powershell,security,sysmon}/test on a windows 2019 host. The test package for each of the modules is also resurrected with modifications reflecting the loss of the javascript processor. Tests in x-pack/winlogbeat/module/{security,sysmon}/test fail in this commit. * make sure metadata is available for enrichment of raw values This fixes failing tests in x-pack/winlogbeat/module/security/test, but tests in sysmon continue to fail because sysmon-11-filedeletedetected.evtx was added in 33acb3c (2022-01-25) after the origin of the forward port origin (2021-12-02). * update golden file for sysmon-11-filedeletedetected.evtx * ignore opcode field on Windows 2022 Also prohibit generating golden files for PowerShell on Windows 2022 to prevent unnecessary work in discovering that this will fail on other versions. * defer event field filtering until value comparison This will result in additional diff noise if golden values are generated on multiple versions of windows so it may be worth keeping the version used reasonably constant. The version used here was 2019.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What does this PR do?
Switches to ingest node processing instead of local javascript
processing for modules.
Why is it important?
For Agent we are using ingest node processing. This keeps the
Winlogbeat and Agent processing in sync and allows bug fixes to be
shared between them.
Checklist
CHANGELOG.next.asciidocorCHANGELOG-developer.next.asciidoc.Author's Checklist
How to test this PR locally
Test export of pipelines
Test uploading of pipelines with setup
Test uploading of pipelines when pipelines don't exist in ES
Related issues