[rsa2elk/zscaler] Upgrade to ECS 8.0.0

packages/zscaler/_dev/build/build.yml

@@ -1,3 +1,3 @@
 dependencies:
   ecs:
-    reference: git@1.12
+    reference: git@8.0

packages/zscaler/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "0.5.0"
+  changes:
+    - description: Update to ECS 8.0.0
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2599
 - version: "0.4.5"
   changes:
     - description: Regenerate test files using the new GeoIP database

packages/zscaler/data_stream/zia/_dev/test/pipeline/test-zscaler.log-expected.json

@@ -1,13 +1,13 @@
 {
     "expected": [
         {
-            "message": "hello ZSCALERNSS: time=WOOT Jun 23 15:16:42 2017^^timezone=CEST^^action=\u003caction\u003e^^reason=\u003cresult\u003e^^hostname=\u003chostname\u003e^^protocol=\u003cprotocol\u003e^^serverip=\u003cdaddr\u003e^^url=\u003curl\u003e^^urlcategory=\u003cfilter\u003e^^urlclass=\u003cinfo\u003e^^dlpdictionaries=\u003cfld3\u003e^^dlpengine=\u003cfld4\u003e^^filetype=\u003cfiletype\u003e^^threatcategory=\u003ccategory\u003e^^threatclass=\u003cvendor_event_cat\u003e^^pagerisk=\u003cfld8\u003e^^threatname=\u003cthreat_name\u003e^^clientpublicIP=\u003cfld9\u003e^^ClientIP=\u003csaddr\u003e^^location=\u003cfld11\u003e^^refererURL=\u003cweb_referer\u003e^^useragent=\u003cuser_agent\u003e^^department=\u003cuser_dept\u003e^^user=\u003cusername\u003e^^event_id=\u003cid\u003e^^clienttranstime=\u003cfld17\u003e^^requestmethod=\u003cweb_method\u003e^^requestsize=\u003csbytes\u003e^^requestversion=\u003cfld20\u003e^^status=\u003cresultcode\u003e^^responsesize=\u003crbytes\u003e^^responseversion=\u003cfld23\u003e^^transactionsize=\u003cbytes\u003e",
-            "event": {
-                "ingested": "2021-12-14T14:59:56.254697507Z"
-            },
             "ecs": {
-                "version": "1.12.0"
+                "version": "8.0.0"
             },
+            "event": {
+                "ingested": "2022-01-25T13:10:11.333969934Z"
+            },
+            "message": "hello ZSCALERNSS: time=WOOT Jun 23 15:16:42 2017^^timezone=CEST^^action=\u003caction\u003e^^reason=\u003cresult\u003e^^hostname=\u003chostname\u003e^^protocol=\u003cprotocol\u003e^^serverip=\u003cdaddr\u003e^^url=\u003curl\u003e^^urlcategory=\u003cfilter\u003e^^urlclass=\u003cinfo\u003e^^dlpdictionaries=\u003cfld3\u003e^^dlpengine=\u003cfld4\u003e^^filetype=\u003cfiletype\u003e^^threatcategory=\u003ccategory\u003e^^threatclass=\u003cvendor_event_cat\u003e^^pagerisk=\u003cfld8\u003e^^threatname=\u003cthreat_name\u003e^^clientpublicIP=\u003cfld9\u003e^^ClientIP=\u003csaddr\u003e^^location=\u003cfld11\u003e^^refererURL=\u003cweb_referer\u003e^^useragent=\u003cuser_agent\u003e^^department=\u003cuser_dept\u003e^^user=\u003cusername\u003e^^event_id=\u003cid\u003e^^clienttranstime=\u003cfld17\u003e^^requestmethod=\u003cweb_method\u003e^^requestsize=\u003csbytes\u003e^^requestversion=\u003cfld20\u003e^^status=\u003cresultcode\u003e^^responsesize=\u003crbytes\u003e^^responseversion=\u003cfld23\u003e^^transactionsize=\u003cbytes\u003e",
             "tags": [
                 "preserve_original_event"
             ]

packages/zscaler/data_stream/zia/agent/stream/stream.yml.hbs

@@ -19,7 +19,6 @@ fields:
 {{#contains "forwarded" tags}}
 publisher_pipeline.disable_host: true
 {{/contains}}
-
 processors:
 {{#if processors}}
 {{processors}}
@@ -830,7 +829,7 @@ processors:
               if (value != null && (result = fn(value))!== undefined) {
                   evt.Put(FIELDS_PREFIX + dst, result);
               } else {
-                  console.error(fn.name + " failed for '" + value + "'");
+                  console.debug(fn.name + " failed for '" + value + "'");
               }
           };
       }
@@ -1042,8 +1041,8 @@ processors:
           "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]},
           "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]},
           "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]},
-          "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
-          "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]},
+          "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]},
           "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]},
           "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]},
           "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]},
@@ -1101,11 +1100,11 @@ processors:
           "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]},
           "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]},
           "method": {to:[{field: "http.request.method", setter: fld_set}]},
-          "msg": {to:[{field: "log.original", setter: fld_set}]},
+          "msg": {to:[{field: "message", setter: fld_set}]},
           "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
           "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]},
           "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]},
-          "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]},
+          "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]},
           "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]},
           "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]},
           "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]},
@@ -1115,16 +1114,16 @@ processors:
           "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]},
           "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]},
           "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]},
-          "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]},
+          "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]},
           "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]},
           "product": {to:[{field: "observer.product", setter: fld_set}]},
           "protocol": {to:[{field: "network.protocol", setter: fld_set}]},
           "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]},
           "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]},
           "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]},
           "rulename": {to:[{field: "rule.name", setter: fld_set}]},
-          "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
-          "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]},
+          "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]},
           "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]},
           "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]},
           "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]},
@@ -2557,8 +2556,8 @@ processors:
       	builder.Add(save_flags);
       	builder.Add(strip_syslog_priority);
       	builder.Add(chain1);
-      	builder.Add(populate_fields);
       	builder.Add(restore_flags);
+      	builder.Add(populate_fields);
       	var chain = builder.Build();
       	return {
       		process: chain.Run,

packages/zscaler/data_stream/zia/agent/stream/tcp.yml.hbs

@@ -16,7 +16,6 @@ fields:
 {{#contains "forwarded" tags}}
 publisher_pipeline.disable_host: true
 {{/contains}}
-
 processors:
 {{#if processors}}
 {{processors}}
@@ -827,7 +826,7 @@ processors:
               if (value != null && (result = fn(value))!== undefined) {
                   evt.Put(FIELDS_PREFIX + dst, result);
               } else {
-                  console.error(fn.name + " failed for '" + value + "'");
+                  console.debug(fn.name + " failed for '" + value + "'");
               }
           };
       }
@@ -1039,8 +1038,8 @@ processors:
           "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]},
           "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]},
           "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]},
-          "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
-          "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]},
+          "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]},
           "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]},
           "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]},
           "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]},
@@ -1098,11 +1097,11 @@ processors:
           "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]},
           "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]},
           "method": {to:[{field: "http.request.method", setter: fld_set}]},
-          "msg": {to:[{field: "log.original", setter: fld_set}]},
+          "msg": {to:[{field: "message", setter: fld_set}]},
           "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
           "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]},
           "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]},
-          "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]},
+          "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]},
           "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]},
           "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]},
           "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]},
@@ -1112,16 +1111,16 @@ processors:
           "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]},
           "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]},
           "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]},
-          "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]},
+          "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]},
           "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]},
           "product": {to:[{field: "observer.product", setter: fld_set}]},
           "protocol": {to:[{field: "network.protocol", setter: fld_set}]},
           "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]},
           "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]},
           "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]},
           "rulename": {to:[{field: "rule.name", setter: fld_set}]},
-          "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
-          "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]},
+          "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]},
           "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]},
           "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]},
           "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]},
@@ -2554,8 +2553,8 @@ processors:
       	builder.Add(save_flags);
       	builder.Add(strip_syslog_priority);
       	builder.Add(chain1);
-      	builder.Add(populate_fields);
       	builder.Add(restore_flags);
+      	builder.Add(populate_fields);
       	var chain = builder.Build();
       	return {
       		process: chain.Run,

packages/zscaler/data_stream/zia/agent/stream/udp.yml.hbs

@@ -16,7 +16,6 @@ fields:
 {{#contains "forwarded" tags}}
 publisher_pipeline.disable_host: true
 {{/contains}}
-
 processors:
 {{#if processors}}
 {{processors}}
@@ -827,7 +826,7 @@ processors:
               if (value != null && (result = fn(value))!== undefined) {
                   evt.Put(FIELDS_PREFIX + dst, result);
               } else {
-                  console.error(fn.name + " failed for '" + value + "'");
+                  console.debug(fn.name + " failed for '" + value + "'");
               }
           };
       }
@@ -1039,8 +1038,8 @@ processors:
           "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]},
           "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]},
           "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]},
-          "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
-          "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]},
+          "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]},
           "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]},
           "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]},
           "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]},
@@ -1098,11 +1097,11 @@ processors:
           "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]},
           "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]},
           "method": {to:[{field: "http.request.method", setter: fld_set}]},
-          "msg": {to:[{field: "log.original", setter: fld_set}]},
+          "msg": {to:[{field: "message", setter: fld_set}]},
           "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
           "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]},
           "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]},
-          "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]},
+          "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]},
           "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]},
           "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]},
           "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]},
@@ -1112,16 +1111,16 @@ processors:
           "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]},
           "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]},
           "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]},
-          "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]},
+          "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]},
           "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]},
           "product": {to:[{field: "observer.product", setter: fld_set}]},
           "protocol": {to:[{field: "network.protocol", setter: fld_set}]},
           "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]},
           "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]},
           "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]},
           "rulename": {to:[{field: "rule.name", setter: fld_set}]},
-          "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
-          "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+          "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]},
+          "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]},
           "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]},
           "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]},
           "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]},
@@ -2554,8 +2553,8 @@ processors:
       	builder.Add(save_flags);
       	builder.Add(strip_syslog_priority);
       	builder.Add(chain1);
-      	builder.Add(populate_fields);
       	builder.Add(restore_flags);
+      	builder.Add(populate_fields);
       	var chain = builder.Build();
       	return {
       		process: chain.Run,

packages/zscaler/data_stream/zia/elasticsearch/ingest_pipeline/default.yml

@@ -8,7 +8,7 @@ processors:
       value: '{{_ingest.timestamp}}'
   - set:
       field: ecs.version
-      value: '1.12.0'
+      value: '8.0.0'
   # User agent
   - user_agent:
       field: user_agent.original

packages/zscaler/data_stream/zia/fields/ecs.yml

@@ -110,8 +110,6 @@
   name: http.request.referrer
 - external: ecs
   name: log.level
-- external: ecs
-  name: log.original
 - external: ecs
   name: log.syslog.facility.code
 - external: ecs
@@ -153,7 +151,7 @@
 - external: ecs
   name: process.pid
 - external: ecs
-  name: process.ppid
+  name: process.parent.pid
 - external: ecs
   name: process.title
 - external: ecs