Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Integrations that parse timestamps without a year fail after new year #4950

Closed
jsoriano opened this issue Jan 9, 2023 · 9 comments
Closed

Integrations that parse timestamps without a year fail after new year #4950

jsoriano opened this issue Jan 9, 2023 · 9 comments

Comments

@jsoriano
Copy link
Member

jsoriano commented Jan 9, 2023

Some integrations have started failing after the change of year. These integrations are likely parsing timestamps without a year.

These tests should be fixed by checking first if the year is actually not found in the logs, or if there is some parsing issue.

You can find the failing packages for example in these builds:

Pinging owners of affected packages: @elastic/security-external-integrations @elastic/obs-service-integrations @elastic/elastic-agent-data-plane

cc @elastic/ecosystem
@ebeahan
Copy link
Member

ebeahan commented Jan 9, 2023

Looking at a handful of the SEI-owned packages, it's because the original logs don't include a year at all in the timestamp. This is expected for BSD/RFC 3164 syslog message timestamps (Mmm dd hh:mm:ss).

@jsoriano any suggestions of how to address? Have we ever hit this issue with other integrations in the past?

@mrodm mrodm mentioned this issue Jan 10, 2023
Merged
@jsoriano
Copy link
Member Author

@jsoriano any suggestions of how to address? Have we ever hit this issue with other integrations in the past?

Hey @ebeahan,

After confirming that the source log/event doesn't contain a year, I think there are a couple of options in the test configuration:

Not sure though if the second option will solve this problem.

Another option is to just regenerate the expected results, but they will fail again next year 🙂

@narph
Copy link
Contributor

narph commented Jan 12, 2023

Define a pattern to validate the timestamp, as is done for example in
integrations/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-common-config.yml

Line 2 in 27f5518

"@timestamp": "^[0-9]{4}(-[0-9]{2}){2}T[0-9]{2}(:[0-9]{2}){2}\.[0-9]{3}Z$"
Not sure though if the second option will solve this problem.

pfsense is one of the affected packages

pfsense/log test-pfsense-unbound.log:
--- want
+++ got
@@ -1,7 +1,7 @@
 {
     "expected": [
         {
-            "@timestamp": "2022-08-15T16:19:02.000-04:00",
+            "@timestamp": "2023-08-15T16:19:02.000-04:00",
             "client": {
                 "address": "192.168.1.1",
                 "ip": "192.168.1.1"


╭─────────┬─────────────┬───────────┬──────────────────────────┬─────────────────────────────────────────────────────────────────────────┬──────────────╮
│ PACKAGE │ DATA STREAM │ TEST TYPE │ TEST NAME                │ RESULT
                 │ TIME ELAPSED │
├─────────┼─────────────┼───────────┼──────────────────────────┼─────────────────────────────────────────────────────────────────────────┼──────────────┤
│ pfsense │ log         │ pipeline  │ test-opensense.log       │ FAIL: test case failed: Expected results are different from actual ones │    39.8652ms │
│ pfsense │ log         │ pipeline  │ test-pfsense-bsd.log     │ FAIL: test case failed: Expected results are different from actual ones │    13.0515ms │
│ pfsense │ log         │ pipeline  │ test-pfsense-dhcp.log    │ FAIL: test case failed: Expected results are different from actual ones │    17.1696ms │
│ pfsense │ log         │ pipeline  │ test-pfsense-haproxy.log │ FAIL: test case failed: Expected results are different from actual ones │    14.0588ms │
│ pfsense │ log         │ pipeline  │ test-pfsense-ipsec.log   │ PASS
                 │    11.4619ms │
│ pfsense │ log         │ pipeline  │ test-pfsense-openvpn.log │ FAIL: test case failed: Expected results are different from actual ones │    10.0666ms │
│ pfsense │ log         │ pipeline  │ test-pfsense-phpfpm.log  │ FAIL: test case failed: Expected results are different from actual ones │       9.43ms │
│ pfsense │ log         │ pipeline  │ test-pfsense-squid.log   │ FAIL: test case failed: Expected results are different from actual ones │     7.2031ms │
│ pfsense │ log         │ pipeline  │ test-pfsense-syslog.log  │ PASS
                 │    10.8438ms │
│ pfsense │ log         │ pipeline  │ test-pfsense-unbound.log │ FAIL: test case failed: Expected results are different from actual ones │    10.0712ms │
╰─────────┴─────────────┴───────────┴──────────────────────────┴─────────────────────────────────────────────────────────────────────────┴──────────────╯

I've added:

dynamic_fields:
  "@timestamp": "^[0-9]{4}(-[0-9]{2}){2}T[0-9]{2}(:[0-9]{2}){2}\\.[0-9]{3}"

to https://github.com/elastic/integrations/blob/main/packages/pfsense/data_stream/log/_dev/test/pipeline/test-common-config.yml

and tests passed

--- Test results for package: pfsense - START ---
╭─────────┬─────────────┬───────────┬──────────────────────────┬────────┬──────────────╮
│ PACKAGE │ DATA STREAM │ TEST TYPE │ TEST NAME                │ RESULT │ TIME ELAPSED │
├─────────┼─────────────┼───────────┼──────────────────────────┼────────┼──────────────┤
│ pfsense │ log         │ pipeline  │ test-opensense.log       │ PASS   │     36.612ms │
│ pfsense │ log         │ pipeline  │ test-pfsense-bsd.log     │ PASS   │    16.5897ms │
│ pfsense │ log         │ pipeline  │ test-pfsense-dhcp.log    │ PASS   │    15.7219ms │
│ pfsense │ log         │ pipeline  │ test-pfsense-haproxy.log │ PASS   │    12.9254ms │
│ pfsense │ log         │ pipeline  │ test-pfsense-ipsec.log   │ PASS   │    14.0902ms │
│ pfsense │ log         │ pipeline  │ test-pfsense-openvpn.log │ PASS   │    12.6828ms │
│ pfsense │ log         │ pipeline  │ test-pfsense-phpfpm.log  │ PASS   │    10.6016ms │
│ pfsense │ log         │ pipeline  │ test-pfsense-squid.log   │ PASS   │     8.8069ms │
│ pfsense │ log         │ pipeline  │ test-pfsense-syslog.log  │ PASS   │    11.4988ms │
│ pfsense │ log         │ pipeline  │ test-pfsense-unbound.log │ PASS   │    10.3019ms │
╰─────────┴─────────────┴───────────┴──────────────────────────┴────────┴──────────────╯
--- Test results for package: pfsense - END   ---

@jsoriano, @andrewkroh should we go with the second option for the security packages?

@andrewkroh
Copy link
Member

Using a dynamic field to handle the year SGTM.

@jsoriano
Copy link
Member Author

Yeah, sounds good, do you have a PR with the change for pfsense?

@narph
Copy link
Contributor

narph commented Jan 12, 2023

Yeah, sounds good, do you have a PR with the change for pfsense?

we'll soon link a pr with changes for all security packages

@jsoriano jsoriano mentioned this issue Jan 12, 2023
Merged
@taylor-swanson taylor-swanson mentioned this issue Jan 12, 2023
Merged
3 tasks
@ebeahan
Copy link
Member

ebeahan commented Jan 13, 2023

Security external integrations have updated our integrations: #4984

@jsoriano
Copy link
Member Author

Thanks!

This was referenced Jan 17, 2023
Merged
Merged
Merged
@drewdaemon drewdaemon mentioned this issue Jan 18, 2023
Closed
4 tasks
@jsoriano jsoriano mentioned this issue Jan 18, 2023
Merged
@mrodm mrodm mentioned this issue Jan 24, 2023
Merged
@harnish-elastic harnish-elastic mentioned this issue Jan 25, 2023
Merged
4 tasks
@jsoriano
Copy link
Member Author

jsoriano commented Feb 9, 2023

It looks like all related issues have been fixed. Thanks all!

@jsoriano jsoriano closed this as completed Feb 9, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jsoriano @narph @andrewkroh @ebeahan