Skip to content

Commit

Permalink
[windows] Fix mapping/pipelines for time_created (#5384)
Browse files Browse the repository at this point in the history
Fix mapping of winlog.time_created in the forwarded data stream and improve
error handling for date processor failures throughout.
  • Loading branch information
nicpenning authored Feb 28, 2023
1 parent fb6f417 commit d4fd194
Show file tree
Hide file tree
Showing 10 changed files with 114 additions and 30 deletions.
5 changes: 5 additions & 0 deletions packages/windows/changelog.yml
Original file line number Diff line number Diff line change
@@ -1,4 +1,9 @@
# newer versions go on top
- version: "1.18.0"
changes:
- description: Fix mapping/pipelines for winlog.time_created
type: enhancement
link: https://github.com/elastic/integrations/pull/5384
- version: "1.17.0"
changes:
- description: Add CallTrace, GrantedAccess, TargetImage, TargetProcessGUID, fields to sysmon_operational fields
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -33,11 +33,19 @@ processors:
if: ctx?.winlog?.level != ""
- date:
field: winlog.time_created
tag: "time_created_date"
formats:
- ISO8601
ignore_failure: true
if: ctx?.winlog?.time_created != null

if: ctx.winlog?.time_created != null
on_failure:
- remove:
field: winlog.time_created
ignore_failure: true
- append:
field: error.message
value: "fail-{{{ _ingest.on_failure_processor_tag }}}"
- fail:
message: "Processor {{ _ingest.on_failure_processor_type }} with tag {{ _ingest.on_failure_processor_tag }} in pipeline {{ _ingest.on_failure_pipeline }} failed with message: {{ _ingest.on_failure_message }}"
- set:
field: event.kind
value: event
Expand Down Expand Up @@ -426,5 +434,8 @@ processors:

on_failure:
- set:
field: "error.message"
field: event.kind
value: pipeline_error
- append:
field: error.message
value: "{{ _ingest.on_failure_message }}"
Original file line number Diff line number Diff line change
Expand Up @@ -35,11 +35,19 @@ processors:
if: ctx?.winlog?.level != ""
- date:
field: winlog.time_created
tag: "time_created_date"
formats:
- ISO8601
ignore_failure: true
if: ctx?.winlog?.time_created != null

if: ctx.winlog?.time_created != null
on_failure:
- remove:
field: winlog.time_created
ignore_failure: true
- append:
field: error.message
value: "fail-{{{ _ingest.on_failure_processor_tag }}}"
- fail:
message: "Processor {{ _ingest.on_failure_processor_type }} with tag {{ _ingest.on_failure_processor_tag }} in pipeline {{ _ingest.on_failure_pipeline }} failed with message: {{ _ingest.on_failure_message }}"
- set:
field: event.kind
value: event
Expand Down Expand Up @@ -485,5 +493,8 @@ processors:

on_failure:
- set:
field: "error.message"
field: event.kind
value: pipeline_error
- append:
field: error.message
value: "{{ _ingest.on_failure_message }}"
Original file line number Diff line number Diff line change
Expand Up @@ -3251,13 +3251,24 @@ processors:

- date:
field: winlog.time_created
tag: "time_created_date"
formats:
- ISO8601
ignore_failure: true
if: ctx?.winlog?.time_created != null
if: ctx.winlog?.time_created != null
on_failure:
- remove:
field: winlog.time_created
ignore_failure: true
- append:
field: error.message
value: "fail-{{{ _ingest.on_failure_processor_tag }}}"
- fail:
message: "Processor {{ _ingest.on_failure_processor_type }} with tag {{ _ingest.on_failure_processor_tag }} in pipeline {{ _ingest.on_failure_pipeline }} failed with message: {{ _ingest.on_failure_message }}"

on_failure:
- set:
field: event.kind
value: pipeline_error
- append:
field: error.message
value: |-
Processor "{{ _ingest.on_failure_processor_type }}" with tag "{{ _ingest.on_failure_processor_tag }}" in pipeline "{{ _ingest.on_failure_pipeline }}" failed with message "{{ _ingest.on_failure_message }}"
value: "{{ _ingest.on_failure_message }}"
Original file line number Diff line number Diff line change
Expand Up @@ -15,10 +15,19 @@ processors:
- date:
field: winlog.time_created
target_field: event.created
tag: "time_created_date"
formats:
- ISO8601
ignore_failure: true
if: ctx?.winlog?.time_created != null
if: ctx.winlog?.time_created != null
on_failure:
- remove:
field: winlog.time_created
ignore_failure: true
- append:
field: error.message
value: "fail-{{{ _ingest.on_failure_processor_tag }}}"
- fail:
message: "Processor {{ _ingest.on_failure_processor_type }} with tag {{ _ingest.on_failure_processor_tag }} in pipeline {{ _ingest.on_failure_pipeline }} failed with message: {{ _ingest.on_failure_message }}"
- date:
field: winlog.event_data.UtcTime
formats:
Expand Down Expand Up @@ -1249,6 +1258,8 @@ processors:

on_failure:
- set:
field: "error.message"
value: |-
Processor "{{ _ingest.on_failure_processor_type }}" with tag "{{ _ingest.on_failure_processor_tag }}" in pipeline "{{ _ingest.on_failure_pipeline }}" failed with message "{{ _ingest.on_failure_message }}"
field: event.kind
value: pipeline_error
- append:
field: error.message
value: "{{ _ingest.on_failure_message }}"
2 changes: 1 addition & 1 deletion packages/windows/data_stream/forwarded/fields/winlog.yml
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@
Success or Failure of the event.
- name: time_created
type: keyword
type: date
required: false
description: >
Time event was created
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -33,10 +33,19 @@ processors:
if: ctx?.winlog?.level != ""
- date:
field: winlog.time_created
tag: "time_created_date"
formats:
- ISO8601
ignore_failure: true
if: ctx?.winlog?.time_created != null
if: ctx.winlog?.time_created != null
on_failure:
- remove:
field: winlog.time_created
ignore_failure: true
- append:
field: error.message
value: "fail-{{{ _ingest.on_failure_processor_tag }}}"
- fail:
message: "Processor {{ _ingest.on_failure_processor_type }} with tag {{ _ingest.on_failure_processor_tag }} in pipeline {{ _ingest.on_failure_pipeline }} failed with message: {{ _ingest.on_failure_message }}"

- set:
field: event.kind
Expand Down Expand Up @@ -449,5 +458,8 @@ processors:

on_failure:
- set:
field: "error.message"
field: event.kind
value: pipeline_error
- append:
field: error.message
value: "{{ _ingest.on_failure_message }}"
Original file line number Diff line number Diff line change
Expand Up @@ -35,10 +35,19 @@ processors:
if: ctx?.winlog?.level != ""
- date:
field: winlog.time_created
tag: "time_created_date"
formats:
- ISO8601
ignore_failure: true
if: ctx?.winlog?.time_created != null
if: ctx.winlog?.time_created != null
on_failure:
- remove:
field: winlog.time_created
ignore_failure: true
- append:
field: error.message
value: "fail-{{{ _ingest.on_failure_processor_tag }}}"
- fail:
message: "Processor {{ _ingest.on_failure_processor_type }} with tag {{ _ingest.on_failure_processor_tag }} in pipeline {{ _ingest.on_failure_pipeline }} failed with message: {{ _ingest.on_failure_message }}"

- set:
field: event.kind
Expand Down Expand Up @@ -508,5 +517,8 @@ processors:

on_failure:
- set:
field: "error.message"
field: event.kind
value: pipeline_error
- append:
field: error.message
value: "{{ _ingest.on_failure_message }}"
Original file line number Diff line number Diff line change
Expand Up @@ -19,10 +19,19 @@ processors:
- date:
field: winlog.time_created
target_field: event.created
tag: "time_created_date"
formats:
- ISO8601
ignore_failure: true
if: ctx?.winlog?.time_created != null
if: ctx.winlog?.time_created != null
on_failure:
- remove:
field: winlog.time_created
ignore_failure: true
- append:
field: error.message
value: "fail-{{{ _ingest.on_failure_processor_tag }}}"
- fail:
message: "Processor {{ _ingest.on_failure_processor_type }} with tag {{ _ingest.on_failure_processor_tag }} in pipeline {{ _ingest.on_failure_pipeline }} failed with message: {{ _ingest.on_failure_message }}"
- date:
field: winlog.event_data.UtcTime
formats:
Expand Down Expand Up @@ -1259,6 +1268,8 @@ processors:

on_failure:
- set:
field: "error.message"
value: |-
Processor "{{ _ingest.on_failure_processor_type }}" with tag "{{ _ingest.on_failure_processor_tag }}" in pipeline "{{ _ingest.on_failure_pipeline }}" failed with message "{{ _ingest.on_failure_message }}"
field: event.kind
value: pipeline_error
- append:
field: error.message
value: "{{ _ingest.on_failure_message }}"
2 changes: 1 addition & 1 deletion packages/windows/manifest.yml
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
name: windows
title: Windows
version: 1.17.0
version: 1.18.0
description: Collect logs and metrics from Windows OS and services with Elastic Agent.
type: integration
categories:
Expand Down

0 comments on commit d4fd194

Please sign in to comment.