From a6dd76eef422d320d3ae8511f2794a63e6fa83a5 Mon Sep 17 00:00:00 2001
From: Adrian Serrano <adrisr83@gmail.com>
Date: Wed, 5 May 2021 14:33:57 +0200
Subject: [PATCH 1/2] Mark cyberark module as deprecated (#25505)

The new cyberarkpas module replaces the RSA2Elk-generated cyberark.

Closes #25261

(cherry picked from commit 597eae05117364b8ac588c993545936d9b8c8c85)
---
 CHANGELOG.next.asciidoc                             | 3 +++
 filebeat/docs/modules/cyberark.asciidoc             | 4 ++--
 x-pack/filebeat/filebeat.reference.yml              | 2 ++
 x-pack/filebeat/module/cyberark/_meta/config.yml    | 2 ++
 x-pack/filebeat/module/cyberark/_meta/docs.asciidoc | 4 ++--
 x-pack/filebeat/modules.d/cyberark.yml.disabled     | 2 ++
 6 files changed, 13 insertions(+), 4 deletions(-)

diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
index 595ede92519..e9a0a88a582 100644
--- a/CHANGELOG.next.asciidoc
+++ b/CHANGELOG.next.asciidoc
@@ -53,6 +53,9 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Possible values for Netflow's locality fields (source.locality, destination.locality and flow.locality) are now `internal` and `external`, instead of `private` and `public`. {issue}24272[24272] {pull}24295[24295]
 - Add User Agent Parser for Azure Sign In Logs Ingest Pipeline {pull}23201[23201]
 - Changes filebeat httpjson input's append transform to create a list even with only a single value{pull}25074[25074]
+- Change logging in logs input to structure logging. Some log message formats have changed. {pull}25299[25299]
+- All url.* fields apart from url.original in the Apache, Nginx, IIS, Traefik, S3Access, Cisco, F5, Fortinet, Google Workspace, Imperva, Microsoft, Netscout, O365, Sophos, Squid, Suricata, Zeek, Zia, Zoom, and ZScaler modules are now url unescaped due to using the Elasticsearch uri_parts processor. {pull}24699[24699]
+- Deprecated the cyberark module (replaced by cyberarkpas). {issue}25261[25261] {pull}25505[25505]
 
 *Heartbeat*
 
diff --git a/filebeat/docs/modules/cyberark.asciidoc b/filebeat/docs/modules/cyberark.asciidoc
index 9f423f97625..bff645d0809 100644
--- a/filebeat/docs/modules/cyberark.asciidoc
+++ b/filebeat/docs/modules/cyberark.asciidoc
@@ -10,7 +10,7 @@ This file is generated! See scripts/docs_collector.py
 
 == Cyberark module
 
-experimental[]
+deprecated::[7.13.0,"This module is deprecated. Use the <<filebeat-module-cyberarkpas,CyberArk Privileged Account Security module.>>"]
 
 This is a module for receiving Cyber-Ark logs over Syslog or a file.
 
@@ -25,7 +25,7 @@ include::../include/config-option-intro.asciidoc[]
 [float]
 ==== `corepas` fileset settings
 
-experimental[]
+deprecated::[7.13.0]
 
 NOTE: This was converted from RSA NetWitness log parser XML "cyberark" device revision 124.
 
diff --git a/x-pack/filebeat/filebeat.reference.yml b/x-pack/filebeat/filebeat.reference.yml
index f48c558a5d0..6e879467d6b 100644
--- a/x-pack/filebeat/filebeat.reference.yml
+++ b/x-pack/filebeat/filebeat.reference.yml
@@ -769,6 +769,8 @@ filebeat.modules:
     #var.paths:
 
 #------------------------------ Cyber-Ark Module ------------------------------
+# The cyberark module is deprecated and will be removed in future releases.
+# Please use the Cyberark Privileged Account Security (cyberarkpas) module instead.
 - module: cyberark
   corepas:
     enabled: true
diff --git a/x-pack/filebeat/module/cyberark/_meta/config.yml b/x-pack/filebeat/module/cyberark/_meta/config.yml
index fa8edd7046a..d3a1f20ec6f 100644
--- a/x-pack/filebeat/module/cyberark/_meta/config.yml
+++ b/x-pack/filebeat/module/cyberark/_meta/config.yml
@@ -1,3 +1,5 @@
+# The cyberark module is deprecated and will be removed in future releases.
+# Please use the Cyberark Privileged Account Security (cyberarkpas) module instead.
 - module: cyberark
   corepas:
     enabled: true
diff --git a/x-pack/filebeat/module/cyberark/_meta/docs.asciidoc b/x-pack/filebeat/module/cyberark/_meta/docs.asciidoc
index d4beae518e8..5d349be9bfe 100644
--- a/x-pack/filebeat/module/cyberark/_meta/docs.asciidoc
+++ b/x-pack/filebeat/module/cyberark/_meta/docs.asciidoc
@@ -5,7 +5,7 @@
 
 == Cyberark module
 
-experimental[]
+deprecated::[7.13.0,"This module is deprecated. Use the <<filebeat-module-cyberarkpas,CyberArk Privileged Account Security module.>>"]
 
 This is a module for receiving Cyber-Ark logs over Syslog or a file.
 
@@ -20,7 +20,7 @@ include::../include/config-option-intro.asciidoc[]
 [float]
 ==== `corepas` fileset settings
 
-experimental[]
+deprecated::[7.13.0]
 
 NOTE: This was converted from RSA NetWitness log parser XML "cyberark" device revision 124.
 
diff --git a/x-pack/filebeat/modules.d/cyberark.yml.disabled b/x-pack/filebeat/modules.d/cyberark.yml.disabled
index e97955adfb8..f965cde2882 100644
--- a/x-pack/filebeat/modules.d/cyberark.yml.disabled
+++ b/x-pack/filebeat/modules.d/cyberark.yml.disabled
@@ -1,6 +1,8 @@
 # Module: cyberark
 # Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-cyberark.html
 
+# The cyberark module is deprecated and will be removed in future releases.
+# Please use the Cyberark Privileged Account Security (cyberarkpas) module instead.
 - module: cyberark
   corepas:
     enabled: true

From 10ce334f2179dc4b8eacda9a2dfa27f6bb471331 Mon Sep 17 00:00:00 2001
From: Adrian Serrano <adrisr83@gmail.com>
Date: Mon, 10 May 2021 10:55:57 +0200
Subject: [PATCH 2/2] Cleanup changelog

---
 CHANGELOG.next.asciidoc | 2 --
 1 file changed, 2 deletions(-)

diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
index e9a0a88a582..ca46ecd5803 100644
--- a/CHANGELOG.next.asciidoc
+++ b/CHANGELOG.next.asciidoc
@@ -53,8 +53,6 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Possible values for Netflow's locality fields (source.locality, destination.locality and flow.locality) are now `internal` and `external`, instead of `private` and `public`. {issue}24272[24272] {pull}24295[24295]
 - Add User Agent Parser for Azure Sign In Logs Ingest Pipeline {pull}23201[23201]
 - Changes filebeat httpjson input's append transform to create a list even with only a single value{pull}25074[25074]
-- Change logging in logs input to structure logging. Some log message formats have changed. {pull}25299[25299]
-- All url.* fields apart from url.original in the Apache, Nginx, IIS, Traefik, S3Access, Cisco, F5, Fortinet, Google Workspace, Imperva, Microsoft, Netscout, O365, Sophos, Squid, Suricata, Zeek, Zia, Zoom, and ZScaler modules are now url unescaped due to using the Elasticsearch uri_parts processor. {pull}24699[24699]
 - Deprecated the cyberark module (replaced by cyberarkpas). {issue}25261[25261] {pull}25505[25505]
 
 *Heartbeat*