Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Filebeat ingest processor for CloudTrail maps previous digest object #32609

Closed
sypste opened this issue Aug 4, 2022 · 2 comments · Fixed by #32759
Closed

Filebeat ingest processor for CloudTrail maps previous digest object #32609

sypste opened this issue Aug 4, 2022 · 2 comments · Fixed by #32759
Assignees
@kaiyan-sheng
Labels
bug Filebeat Filebeat

Comments

@sypste
Copy link

sypste commented Aug 4, 2022

Please post all questions and issues on https://discuss.elastic.co/c/beats
before opening a Github Issue. Your questions will reach a wider audience there,
and if we confirm that there is a bug, then you can open a new issue.

For security vulnerabilities please only send reports to security@elastic.co.
See https://www.elastic.co/community/security for more information.

Please include configurations and logs if available.

For confirmed bugs, please report:

We came across a confounding mapping for the CloudTrail processor in Filebeat, where a CloudTrail digest file is mapped to ECS. A CloudTrail digest file contains both a S3 reference to itself as well as to the previous digest file (see docs). The Filebeat processor maps the previous digest file to file.path instead of the current one, which is sometimes null (see configuration for the ingest pipeline). This behavior is unexpected.
@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Aug 4, 2022
@sypste
Copy link
Author

sypste commented Aug 8, 2022

@leehinman Hope you don't mind if I tag you directly, since you implemented the feature.

@elasticmachine
Copy link
Collaborator

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Aug 11, 2022
@andrewkroh andrewkroh added the Filebeat Filebeat label Aug 14, 2022
@sypste sypste mentioned this issue Aug 18, 2022
Merged
4 tasks
This was referenced Aug 23, 2022
Merged
Merged
@kaiyan-sheng kaiyan-sheng self-assigned this Aug 23, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kaiyan-sheng kaiyan-sheng

Labels
bug Filebeat Filebeat
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[AWS CloudTrail] use json.digestS3Object for file.path
5 participants
@andrewkroh @sypste @kaiyan-sheng @elasticmachine @leehinman