Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Incorrect data types in Fleet managed ingest pipelines #85486

Closed
andrewkroh opened this issue Dec 9, 2020 · 6 comments
Closed

Incorrect data types in Fleet managed ingest pipelines #85486

andrewkroh opened this issue Dec 9, 2020 · 6 comments
Labels
bug Fixes for quality problems that affect the customer experience Feature:Fleet Fleet team's agent central management project Team:Fleet Team label for Observability Data Collection Fleet team

Comments

@andrewkroh
Copy link
Member

andrewkroh commented Dec 9, 2020
edited
Loading

Kibana version:

{
  "version": {
    "number": "7.11.0",
    "build_hash": "1a6d7308e58787bf0448f65c039739b40d4a6e3d",
    "build_number": 37074,
    "build_snapshot": true
  }
}

Elasticsearch version:

{
  "version": {
    "number": "7.11.0-SNAPSHOT",
    "build_flavor": "default",
    "build_type": "docker",
    "build_hash": "279bf21e59fcbac1135922b4828f82578f266234",
    "build_date": "2020-12-08T15:51:24.143094Z"
  }
}

Server OS version: Docker

Browser version: Firefox 83.0

Browser OS version: MacOS

Original install method (e.g. download page, yum, from source, etc.): Docker

Describe the bug:

Steps to reproduce:

  1. Setup Fleet.
  2. Install Palo Alto integration.
  3. View the ingest node pipeline with
    GET _ingest/pipeline/logs-panw.panos-*
  4. Find the script processor with several params.

Screen Shot 2020-12-09 at 5 21 42 PM

5. Compare those `params` values to the definition contained in the package definition. Note the JSON contains strings, but the pipeline source contains numbers. You can download the package from the package registry `curl -L -O https://epr.elastic.co/epr/panw/panw-0.3.2.zip`. The pipeline is in default.yml.

Screen Shot 2020-12-09 at 5 25 28 PM

Expected behavior:
The ingest node pipeline in Elasticsearch should contain numeric values for params. My assumption is that there's an issue with the YAML to JSON conversion, but I'm not sure. What I expect to see is this conversion output (where JSON has numbers).

Screen Shot 2020-12-09 at 7 13 35 PM

Any additional context:

In this instance the incorrect data types cause problems within the Painless script. But this could cause problems elsewhere too. The error we see from this pipeline is

Cannot convert [java.lang.String] to an integral value.
@andrewkroh andrewkroh added bug Fixes for quality problems that affect the customer experience Feature:Fleet Fleet team's agent central management project labels Dec 9, 2020
@elasticmachine
Copy link
Contributor

Pinging @elastic/ingest-management (Feature:Fleet)

@andrewkroh andrewkroh mentioned this issue Dec 10, 2020
Merged
2 tasks
andrewkroh added a commit to andrewkroh/integrations that referenced this issue Dec 10, 2020
@andrewkroh
Add system and pipeline test for Palo Alto PAN-OS
79370b1 
This adds both a pipeline and a system test for the Palo Alto PAN-OS.
The test uncovered an issue with incorrect data types in the final ingest
pipeline that's loaded to ES. I added a work-around to the pipeline for the
incorrect data types. elastic/kibana#85486

And there were a few undocumented fields.
@ruflin ruflin added the Team:Fleet Team label for Observability Data Collection Fleet team label Dec 14, 2020
@ruflin
Copy link
Contributor

ruflin commented Dec 14, 2020

@skh Could you take a look at this?

@skh
Copy link
Contributor

skh commented Dec 14, 2020

I can reproduce the problem, but I also see it when I add the ingest pipeline manually with

curl -u elastic:changeme -X PUT "localhost:9200/_ingest/pipeline/my-pipeline-id?pretty" -H 'Content-Type: application/yaml' --data-binary @/home/skh/tmp/panw-0.3.2/data_stream/panos/elasticsearch/ingest_pipeline/default.yml

Can you check if adding the pipeline with curl works for you? Am I missing something?

andrewkroh added a commit to elastic/integrations that referenced this issue Dec 14, 2020
@andrewkroh
Add system and pipeline test for Palo Alto PAN-OS (#454)
215eea9 
This adds both a pipeline and a system test for the Palo Alto PAN-OS.
The test uncovered an issue with incorrect data types in the final ingest
pipeline that's loaded to ES. I added a work-around to the pipeline for the
incorrect data types. elastic/kibana#85486

And there were a few undocumented fields.
@andrewkroh
Copy link
Member Author

I can produce the same issue with the Elasticsearch API directly. @skh, so Fleet is directly passing YAML content to the _ingest/pipeline API?

@andrewkroh andrewkroh mentioned this issue Dec 17, 2020
Open
@skh
Copy link
Contributor

skh commented Dec 17, 2020
edited
Loading

Fleet is directly passing YAML content to the _ingest/pipeline API?

Mostly, yes. We do insert references to other pipelines, if necessary, but other than that we just pass it through.

@skh
Copy link
Contributor

skh commented Dec 18, 2020

Closing in favor of elastic/elasticsearch#66555 , please reopen if necessary.

@skh skh closed this as completed Dec 18, 2020
eyalkraft pushed a commit to build-security/integrations that referenced this issue Mar 30, 2022
@andrewkroh
Add system and pipeline test for Palo Alto PAN-OS (elastic#454)
9126b0f 
This adds both a pipeline and a system test for the Palo Alto PAN-OS.
The test uncovered an issue with incorrect data types in the final ingest
pipeline that's loaded to ES. I added a work-around to the pipeline for the
incorrect data types. elastic/kibana#85486

And there were a few undocumented fields.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Fixes for quality problems that affect the customer experience Feature:Fleet Fleet team's agent central management project Team:Fleet Team label for Observability Data Collection Fleet team
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@skh @ruflin @andrewkroh @elasticmachine