diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 7d155d3ca72..51d1d72787f 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -117,6 +117,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Fix an issue where error messages are not accurate in mapstriface. {issue}18662[18662] {pull}18663[18663] - Fix regression in `add_kubernetes_metadata`, so configured `indexers` and `matchers` are used if defaults are not disabled. {issue}18481[18481] {pull}18818[18818] - Fix potential race condition in fingerprint processor. {pull}18738[18738] +- Fix the `translate_sid` processor's handling of unconfigured target fields. {issue}18990[18990] {pull}18991[18991] *Auditbeat* diff --git a/libbeat/processors/translate_sid/translatesid.go b/libbeat/processors/translate_sid/translatesid.go index 491ed66859f..f794019d78e 100644 --- a/libbeat/processors/translate_sid/translatesid.go +++ b/libbeat/processors/translate_sid/translatesid.go @@ -111,14 +111,20 @@ func (p *processor) translateSID(event *beat.Event) error { // Do all operations even if one fails. var errs []error - if _, err = event.PutValue(p.AccountNameTarget, account); err != nil { - errs = append(errs, err) + if p.AccountNameTarget != "" { + if _, err = event.PutValue(p.AccountNameTarget, account); err != nil { + errs = append(errs, err) + } } - if _, err = event.PutValue(p.AccountTypeTarget, sys.SIDType(accountType).String()); err != nil { - errs = append(errs, err) + if p.AccountTypeTarget != "" { + if _, err = event.PutValue(p.AccountTypeTarget, sys.SIDType(accountType).String()); err != nil { + errs = append(errs, err) + } } - if _, err = event.PutValue(p.DomainTarget, domain); err != nil { - errs = append(errs, err) + if p.DomainTarget != "" { + if _, err = event.PutValue(p.DomainTarget, domain); err != nil { + errs = append(errs, err) + } } return multierr.Combine(errs...) } diff --git a/libbeat/processors/translate_sid/translatesid_test.go b/libbeat/processors/translate_sid/translatesid_test.go index ad1fbc6a4b8..529f90b065f 100644 --- a/libbeat/processors/translate_sid/translatesid_test.go +++ b/libbeat/processors/translate_sid/translatesid_test.go @@ -25,6 +25,7 @@ import ( "testing" "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" "golang.org/x/sys/windows" "github.com/elastic/beats/v7/libbeat/beat" @@ -83,6 +84,41 @@ func TestTranslateSID(t *testing.T) { } } +func TestTranslateSIDEmptyTarget(t *testing.T) { + c := defaultConfig() + c.Field = "sid" + + evt := &beat.Event{Fields: map[string]interface{}{ + "sid": "S-1-5-32-544", + }} + + tests := []struct { + Name string + Config config + }{ + {"account_name", config{Field: "sid", AccountNameTarget: "account_name"}}, + {"account_type", config{Field: "sid", AccountTypeTarget: "account_type"}}, + {"domain", config{Field: "sid", DomainTarget: "domain"}}, + } + + for _, tc := range tests { + tc := tc + t.Run(tc.Name, func(t *testing.T) { + p, err := newFromConfig(tc.Config) + require.NoError(t, err) + + evt, err := p.Run(&beat.Event{Fields: evt.Fields.Clone()}) + require.NoError(t, err) + + // Verify that only the configured target field is set. + // And ensure that no empty string keys are used. + assert.Len(t, evt.Fields, 2) + assert.Contains(t, evt.Fields, tc.Name) + assert.NotContains(t, evt.Fields, "") + }) + } +} + func BenchmarkProcessor_Run(b *testing.B) { p, err := newFromConfig(config{ Field: "sid",