Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x-pack/winlogbeat/module/routing: make pipeline routing robust to channel letter case #36899

Merged
merged 1 commit into from
Oct 23, 2023
Merged

x-pack/winlogbeat/module/routing: make pipeline routing robust to channel letter case #36899

merged 1 commit into from
Oct 23, 2023

Conversation

efd6
Copy link
Contributor

@efd6 efd6 commented Oct 18, 2023

Proposed commit message

Apparently some events from Windows servers and workstations in Security channel have a lowercase channel name. This has not been observed in other channels, but defensively apply the same care there.

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works (see windows: make pipeline routing robust to channel letter case integrations#8242 for testing in integrations)
  • I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Author's Checklist

  • [ ]

How to test this PR locally

Related issues

Use cases

Screenshots

Logs

@efd6 efd6 added enhancement Winlogbeat backport-skip Skip notification from the automated backport with mergify 8.12 candidate labels Oct 18, 2023
@efd6 efd6 self-assigned this Oct 18, 2023
@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Oct 18, 2023
@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Oct 18, 2023
@efd6
x-pack/winlogbeat/module/routing: make pipeline routing robust to cha…
1429d22 
…nnel letter case

Apparently some events from Windows servers and workstations in Security channel
have a lowercase channel name. This has not been observed in other channels, but
defensively apply the same care there.
@efd6 efd6 force-pushed the 36670-winlogbeat branch from f946d7d to 1429d22 Compare October 18, 2023 20:48
@elasticmachine
Copy link
Collaborator

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS
Pipeline View Test View Changes Artifacts preview preview

Expand to view the summary

Build stats

  • Duration: 41 min 15 sec

❕ Flaky test report

No test was executed to be analysed.

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

  • /test : Re-trigger the build.

  • /package : Generate the packages and run the E2E tests.

  • /beats-tester : Run the installation tests with beats-tester.

  • run elasticsearch-ci/docs : Re-trigger the docs validation. (use unformatted text in the comment!)

@efd6 efd6 marked this pull request as ready for review October 18, 2023 21:48
@efd6 efd6 requested a review from a team as a code owner October 18, 2023 21:48
@elasticmachine
Copy link
Collaborator

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

bhapas
bhapas reviewed Oct 19, 2023
View reviewed changes
x-pack/winlogbeat/module/routing/ingest/routing.yml
@@ -6,16 +6,16 @@ processors:
value: '{{_ingest.timestamp}}'
- pipeline:
name: '{< IngestPipeline "security" >}'
if: ctx?.winlog?.channel == 'Security' && ['Microsoft-Windows-Eventlog', 'Microsoft-Windows-Security-Auditing'].contains(ctx?.winlog?.provider_name)
if: ctx.winlog?.channel instanceof String && ctx.winlog.channel.toLowerCase() == 'security' && ['Microsoft-Windows-Eventlog', 'Microsoft-Windows-Security-Auditing'].contains(ctx.winlog?.provider_name)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Any pipeline test for this change?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The changes are tested in the integration PR as noted above. The issue with testing here is that we need an evtx with the case difference. The system and pipeline tests here test for regression already though.

@efd6 efd6 requested a review from bhapas October 22, 2023 21:35
@efd6 efd6 merged commit 1852747 into elastic:main Oct 23, 2023
@efd6 efd6 mentioned this pull request Nov 15, 2023
Closed
Scholar-Li pushed a commit to Scholar-Li/beats that referenced this pull request Feb 5, 2024
@efd6 @Scholar-Li
x-pack/winlogbeat/module/routing: make pipeline routing robust to cha…
103676e 
…nnel letter case (elastic#36899)

Apparently some events from Windows servers and workstations in Security channel
have a lowercase channel name. This has not been observed in other channels, but
defensively apply the same care there.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bhapas bhapas bhapas approved these changes

Assignees

@efd6 efd6

Labels
8.12-candidate backport-skip Skip notification from the automated backport with mergify enhancement Winlogbeat
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Winlogbeat] Lowercase Security channel name
3 participants
@efd6 @elasticmachine @bhapas