Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Suricata package #186

Merged
merged 8 commits into from
Aug 5, 2020
Merged

Add Suricata package #186

merged 8 commits into from
Aug 5, 2020

Conversation

andrewkroh
Copy link
Member

@andrewkroh andrewkroh commented Jul 21, 2020
edited
Loading

What does this PR do?

Import the Suricata Filebeat module via PACKAGES=suricata mage -v ImportBeats.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all datasets collect metrics or logs.

Related issues

Screenshots

Screen Shot 2020-07-21 at 5 22 18 PM

Screen Shot 2020-07-21 at 5 22 30 PM

@andrewkroh andrewkroh added the enhancement New feature or request label Jul 21, 2020
@elasticmachine
Copy link

elasticmachine commented Jul 21, 2020
edited
Loading

💚 Build Succeeded

Pipeline View Test View Changes Artifacts preview

Expand to view the summary

Build stats

  • Build Cause: [Branch indexing]

  • Start Time: 2020-08-05T01:45:07.478+0000

  • Duration: 4 min 55 sec

andrewstucki
andrewstucki reviewed Jul 21, 2020
View reviewed changes
packages/suricata/dataset/eve/agent/stream/log.yml.hbs Outdated
- {{path}}
{{/each}}
exclude_files: [".gz$"]
tags: {{tags}}
Copy link

@andrewstucki andrewstucki Jul 21, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So, just to make sure -- this will actually resolve to foo, bar, baz if it's given an array like ["foo", "bar", "baz"] (notice no brackets in the rendered template, see example).

Does filebeat automatically do string splitting for the tags part of the configuration? If not I think this needs to become something like:

tags:
{{#each tags as |tag i|}}
 - {{tag}}
{{/each}}

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed. Thanks.

@andrewstucki andrewstucki mentioned this pull request Jul 23, 2020
Merged
@andrewkroh andrewkroh mentioned this pull request Jul 23, 2020
Merged
3 tasks
@andrewkroh
Add Suricata package
a08f376 
Import the Suricata Filebeat module via `PACKAGES=suricata mage -v ImportBeats`.
@andrewkroh
Update dashboards
ba6346c
@andrewkroh andrewkroh marked this pull request as ready for review July 30, 2020 21:45
@andrewkroh
Copy link
Member Author

Where should the fields that Filebeat adds be defined? Things like input.type are not in the index template.

Screen Shot 2020-07-30 at 5 46 39 PM

Additionally there could be fields from processors like add_host_metadata or add_docker_metadata? Is it the responsibility of each package to define these?

@andrewkroh
Copy link
Member Author

This module reads log files. Some of the log lines are metrics about the software. These documents have event.kind: metric. Should they have dataset.type: metrics or dataset.type: logs? If dataset.type: metrics then how would I accomplish this?

@ruflin
Copy link
Member

ruflin commented Jul 31, 2020
edited
Loading

@andrewkroh At the moment it is the responsibility of each package / dataset to add these fields.

@andrewkroh
Copy link
Member Author

This has been updated to add the datastream.* fields.

andrewstucki
andrewstucki approved these changes Aug 4, 2020
View reviewed changes
Copy link

@andrewstucki andrewstucki left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this need container.id? I notice that filebeat is putting that in too. Other than that, LGTM

mtojek
mtojek approved these changes Aug 5, 2020
View reviewed changes
Copy link
Contributor

@mtojek mtojek left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, I will merge this PR before introducing any breaking changes in the solution.

@mtojek mtojek merged commit bb5be79 into elastic:master Aug 5, 2020
@andrewkroh andrewkroh mentioned this pull request Aug 6, 2020
Merged
3 tasks
eyalkraft pushed a commit to build-security/integrations that referenced this pull request Mar 30, 2022
@andrewkroh
Add Suricata package (elastic#186)
6568490 
* Add Suricata package

Import the Suricata Filebeat module via `PACKAGES=suricata mage -v ImportBeats`.

* Update dashboards

* Fix config and require 7.10.0

* Add missing fields

* Update readme

* Add filebeat fields

* Update for datastream
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mtojek mtojek mtojek approved these changes

@andrewstucki andrewstucki andrewstucki approved these changes

Assignees
No one assigned
Labels
enhancement New feature or request Integration:suricata Suricata New Integration
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@andrewkroh @elasticmachine @ruflin @andrewstucki @mtojek