Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[imperva/securesphere] log.file.* fields mapped as long not keyword #8469

Closed
ebeahan opened this issue Nov 10, 2023 · 6 comments · Fixed by #8627
Closed

[imperva/securesphere] log.file.* fields mapped as long not keyword #8469

ebeahan opened this issue Nov 10, 2023 · 6 comments · Fixed by #8627
Labels
bug Something isn't working Integration:imperva

Comments

@ebeahan
Copy link
Member

ebeahan commented Nov 10, 2023

log.file.device_id and log.file.inode are mapped as long in the imperva package. Other packages treat these values as identifiers and map the fields as keyword.

Also causing testing failures:

FAILURE DETAILS:
imperva/securesphere logfile:
[0] parsing field value failed: field "log.file.device_id"'s Go type, string, does not match the expected field type: long (field value: 68)
[1] parsing field value failed: field "log.file.inode"'s Go type, string, does not match the expected field type: long (field value: 98)
@elasticmachine
Copy link

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

@jamiehynds
Copy link

@piyush-elastic would you mind adding this to our backlog as it relates to the recent Imperva integration update?

@piyush-elastic
Copy link
Contributor

piyush-elastic commented Nov 29, 2023
edited

@ebeahan - please find our analysis on this issue -

We checked the issue on the stack version 8.10.1 (As the minimum stack version for the Imperva SecureSphere is 8.10.1), and it's causing testing failure if we map the log.file.device_id and log.file.inode as keyword hence decided to put it as long.

Checked on the recent version 8.11.0 and found that it's causing testing failure for the same build if we use the log.file.device_id and log.file.inode as long.

Seems like the data types got updated to the keyword in the recent version. Please find attached response for bot versions
sample_event_8.11.json
sample_event_8.10.1.json

@ebeahan
Copy link
Member Author

ebeahan commented Nov 30, 2023

Beats recently added log.file.device_id and log.file.inode into the fields produced by the filestream input: elastic/beats#36065.

These field's weren't defined in the mappings of any integrations using the filestream input, and adding the mappings was tracked in #7687. I suspect since the work for #8237 was happening in parallel, the fields were added using long instead of keyword and missed in the work for #7687.

I propose we make a breaking change to the imperva package for these two fields to use keyword (to align with what's been done in other integrations). This will prevent a field type mismatch error when querying log.file.device_id or log.file.inode across imperva and other integration indices.

@janvi-elastic janvi-elastic mentioned this issue Dec 1, 2023
Merged
4 tasks
@piyush-elastic
Copy link
Contributor

@ebeahan - We have raised PR for the same.

@elasticmachine
Copy link

Package imperva - 0.20.1 containing this change is available at https://epr.elastic.co/search?package=imperva

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working Integration:imperva
Projects
None yet
Milestone
No milestone
4 participants
@ebeahan @elasticmachine @jamiehynds @piyush-elastic