[Filebeat] sophos.xg - Handle new log field names#31388
[Filebeat] sophos.xg - Handle new log field names#31388andrewkroh merged 6 commits intoelastic:mainfrom
Conversation
Sync the Fleet integration pipeline into the Filebeat module. Based on elastic/integrations@919fe81. Fixes elastic#29002
andrewkroh
requested review from
belimawr and
faec
and removed request for
a team
|
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
botelastic
bot
added
needs_team
💚 Build Succeeded
Expand to view the summary
Build stats
Test stats 🧪
💚 Flaky test reportTests succeeded. 🤖 GitHub commentsTo re-run your PR in the CI, just comment with:
|
andrewkroh
force-pushed
the
feature/fb/sync-sophos-integration
branch
from
00dea68 to
95617fc
Compare
Add event.ingested. Change to Go template format.
[git-generate] mage -d filebeat update cd x-pack/filebeat mage update PYTEST_ADDOPTS="-k sophos" TESTING_FILEBEAT_MODULES=sophos GENERATE=true mage -v pythonIntegTest
andrewkroh
force-pushed
the
feature/fb/sync-sophos-integration
branch
from
95617fc to
3d4654d
Compare
belimawr
left a comment
belimawr
left a comment
There was a problem hiding this comment.
It's quite hard to do a detailed review, but in general it looks good. Once CI is green, it's good to merge.
|
/test |
* Sort fields.yml by name before modifying * sophos.xg - Handle new log field names Sync the Fleet integration pipeline into the Filebeat module. Based on elastic/integrations@919fe81. Fixes elastic#29002 * Remove duplicate syslog_server_name field * Pipeline modifications for Beats Add event.ingested. Change to Go template format. * Update generated files [git-generate] mage -d filebeat update cd x-pack/filebeat mage update PYTEST_ADDOPTS="-k sophos" TESTING_FILEBEAT_MODULES=sophos GENERATE=true mage -v pythonIntegTest * Add changelog
|
@andrewkroh has this pipeline enhancement been backported to 7.17? A user is running 7.17 and the Filebeat module, and wondering if they can avail of the newer XG log support? (cc: @tiaanwest) |
andrewkroh
added
the
backport-7.17
* Sort fields.yml by name before modifying * sophos.xg - Handle new log field names Sync the Fleet integration pipeline into the Filebeat module. Based on elastic/integrations@919fe81. Fixes #29002 * Remove duplicate syslog_server_name field * Pipeline modifications for Beats Add event.ingested. Change to Go template format. * Update generated files [git-generate] mage -d filebeat update cd x-pack/filebeat mage update PYTEST_ADDOPTS="-k sophos" TESTING_FILEBEAT_MODULES=sophos GENERATE=true mage -v pythonIntegTest * Add changelog
Hey @andrewkroh, would you be able to give me an indication whether or not this will be backported to 7.17? Or should the user rather upgrade to 8.x where the change has been implemented? |
|
I opened a 7.17 backport at #31637, but I'm not sure if it's going to mergeable. I will need to look over the failures that occurred. It might be that because this new work is based on ECS 8.x that some of the fields don't exists in ECS 1.x that is being used in Filebeat 7.17. I think the 8.3.0 release will be out sooner than the next 7.17 minor. So that will get this in their hands faster. Or if they try Elastic Agent they could use the Fleet integration now. Or another option could be to install the Fleet integration and wire up Filebeat to send data into data stream that it creates. |
* Sort fields.yml by name before modifying * sophos.xg - Handle new log field names Sync the Fleet integration pipeline into the Filebeat module. Based on elastic/integrations@919fe81. Fixes #29002 * Remove duplicate syslog_server_name field * Pipeline modifications for Beats Add event.ingested. Change to Go template format. * Update generated files [git-generate] mage -d filebeat update cd x-pack/filebeat mage update PYTEST_ADDOPTS="-k sophos" TESTING_FILEBEAT_MODULES=sophos GENERATE=true mage -v pythonIntegTest * Add changelog
…ames (#31637) * [Filebeat] sophos.xg - Handle new log field names (#31388) * Sort fields.yml by name before modifying * sophos.xg - Handle new log field names Sync the Fleet integration pipeline into the Filebeat module. Based on elastic/integrations@919fe81. Fixes #29002 * Remove duplicate syslog_server_name field * Pipeline modifications for Beats Add event.ingested. Change to Go template format. * Update generated files [git-generate] mage -d filebeat update cd x-pack/filebeat mage update PYTEST_ADDOPTS="-k sophos" TESTING_FILEBEAT_MODULES=sophos GENERATE=true mage -v pythonIntegTest * Add default_field: false to sophos.xg fields Co-authored-by: Andrew Kroh <andrew.kroh@elastic.co>
* Sort fields.yml by name before modifying * sophos.xg - Handle new log field names Sync the Fleet integration pipeline into the Filebeat module. Based on elastic/integrations@919fe81. Fixes #29002 * Remove duplicate syslog_server_name field * Pipeline modifications for Beats Add event.ingested. Change to Go template format. * Update generated files [git-generate] mage -d filebeat update cd x-pack/filebeat mage update PYTEST_ADDOPTS="-k sophos" TESTING_FILEBEAT_MODULES=sophos GENERATE=true mage -v pythonIntegTest * Add changelog
5 participants
What does this PR do?
Sync the Fleet integration pipeline into the Filebeat module.
Based on elastic/integrations@919fe81.
Fixes #29002
Why is it important?
New versions of Sophos (XG) Firewall logs use different field names so the pipeline needed updated.
Checklist
CHANGELOG.next.asciidocorCHANGELOG-developer.next.asciidoc.Related issues