network_traffic: expose configuration options to users

[efd6]

What does this PR do?

This exposes the majority of available configuration options for the network traffic data streams and removes the command line grep process name rewrite configuration.

Checklist

• I have reviewed tips for building integrations and this pull request is aligned with them.
• I have verified that all data streams collect metrics or logs.
• I have added an entry to my package's changelog.yml file.
• I have verified that Kibana version constraints are current according to guidelines.

Author's Checklist

• Compare with packetbeat.reference.yml for options for each data stream.

How to test this PR locally

elastic-package test in packages/network_traffic.

Related issues

• Closes Network Packet Capture - Protocol Settings #2860
• Relates Network Packet Capture - Process Monitoring #2720

Screenshots

Single example:

[elasticmachine]

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Start Time: 2022-05-11T07:19:12.284+0000

• Duration: 71 min 58 sec

Test stats 🧪

Test	Results
Failed	0
Passed	264
Skipped	0
Total	264

🤖 GitHub comments

To re-run your PR in the CI, just comment with:

• /test : Re-trigger the build.

[P1llus]

This is my initial review that was requested, covering mostly just manifest and hbs files.

I think the discussion we had around what should be show_user true and what should be false
Should simply drill down to this:

1. If the option is usually never used, and usually requires complex configuration, it should not be shown to user (which means it is moved under advanced options).

2. If we end up with a lot of options set to true, try to minimize them even more with sane defaults, so that the initial count of available options is low.

Currently it seems to follow this principle, so it's not a comment against the current state of the config, but rather the thought around what should be true and what should be false.

[P1llus]

Please remove index from all the configs, and change it out with dataset.datastream
ref here: https://github.com/elastic/integrations/blob/main/packages/tcp/data_stream/generic/agent/stream/tcp.yml.hbs#L1

[efd6]

I have removed the data_stream.dataset since it was causing the tests to fail.

Change here.

[P1llus]

Please add support for custom processors, similar to here:
https://github.com/elastic/integrations/blob/main/packages/tcp/data_stream/generic/agent/stream/tcp.yml.hbs#L38

[P1llus]

If it does not support multi, it might be wise that we change this to type yaml, instead of text or integer, to allow for array support?

[efd6]

Will that get around the kibana issue?

[andrewkroh]

When using mutli: true with type: text I can still pass numbers through the policy (tested this with tags). One option could be to change the type to text and forego the number validation until this is fixed. And speaking of fixes, I cannot find an open issue in elastic/kibana for supporting multi + integer, can you please open one, @efd6?

[efd6]

elastic/kibana#131360

[efd6]

I have tried multi: true with type: text and I am unable to get this to work; the tests fail with {"statusCode":400,"error":"Bad Request","message":"Package policy is invalid: inputs.packet.streams.network_traffic.http.vars.port: Invalid format"}.

[andrewkroh]

With tags the handlebar template uses a for loop to construct the value. Maybe try that format if you haven't already.

[efd6]

Yes that was one of the many already tried.

[andrewkroh]

Using multi: true with type: text and for loop in the Handlebar template is working for me on 7.17.0.

Generated policy:

  - id: packet-network-9c3f6353-0533-4ad9-828f-fd99cf93f3f1
    name: network_traffic-1
    revision: 1
    type: packet
    use_output: default
    meta:
      package:
        name: network_traffic
        version: 0.10.0
    data_stream:
      namespace: default
    streams:
      - id: packet-network_traffic.dhcpv4-9c3f6353-0533-4ad9-828f-fd99cf93f3f1
        type: dhcpv4
        data_stream:
          dataset: network_traffic.dhcpv4
          type: logs
        ports:
          - 67
          - 68

diff --git a/packages/network_traffic/data_stream/dhcpv4/agent/stream/dhcpv4.yml.hbs b/packages/network_traffic/data_stream/dhcpv4/agent/stream/dhcpv4.yml.hbs
index 3856fc4d9..dba4a3a7b 100644
--- a/packages/network_traffic/data_stream/dhcpv4/agent/stream/dhcpv4.yml.hbs
+++ b/packages/network_traffic/data_stream/dhcpv4/agent/stream/dhcpv4.yml.hbs
@@ -1,5 +1,12 @@
 type: dhcpv4
-ports: [{{port}}]
+
+{{#if port}}
+ports:
+{{#each port as |p|}}
+  - {{p}}
+{{/each}}
+{{/if}}
+
 {{#if keep_null}}
 keep_null: {{keep_null}}
 {{/if}}
diff --git a/packages/network_traffic/data_stream/dhcpv4/manifest.yml b/packages/network_traffic/data_stream/dhcpv4/manifest.yml
index 8e5ff7b20..646b0cc19 100644
--- a/packages/network_traffic/data_stream/dhcpv4/manifest.yml
+++ b/packages/network_traffic/data_stream/dhcpv4/manifest.yml
@@ -5,14 +5,14 @@ streams:
   - input: packet
     vars:
       - name: port
-        type: integer
+        type: text
         # currently the Kibana UI doesn't support multi inputs
         # that are numeric, you get "Error: r.toLowerCase is not a function"
-        # multi: true
-        title: Port
+        multi: true
+        title: Ports
         required: true
         show_user: true
-        default: 67 # default: [67, 68]
+        default: [67, 68]
       - name: keep_null
         type: bool
         title: Keep Null

[elasticmachine]

🌐 Coverage report

Name	Metrics % (covered/total)	Diff
Packages	100.0% (0/0)	💚
Files	100.0% (0/0)	💚 3.659
Classes	100.0% (0/0)	💚 3.659
Methods	71.875% (46/64)	👎 -17.009
Lines	100.0% (0/0)	💚 9.897
Conditionals	100.0% (0/0)	💚

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[andrewkroh]

When using mutli: true with type: text I can still pass numbers through the policy (tested this with tags). One option could be to change the type to text and forego the number validation until this is fixed. And speaking of fixes, I cannot find an open issue in elastic/kibana for supporting multi + integer, can you please open one, @efd6?

[andrewkroh]

The current state looks very good. I would like to get the port issue resolved since that will make this much more usable. Can you try repeating my results with the provided diff.

[andrewkroh]

Using multi: true with type: text and for loop in the Handlebar template is working for me on 7.17.0.

Generated policy:

  - id: packet-network-9c3f6353-0533-4ad9-828f-fd99cf93f3f1
    name: network_traffic-1
    revision: 1
    type: packet
    use_output: default
    meta:
      package:
        name: network_traffic
        version: 0.10.0
    data_stream:
      namespace: default
    streams:
      - id: packet-network_traffic.dhcpv4-9c3f6353-0533-4ad9-828f-fd99cf93f3f1
        type: dhcpv4
        data_stream:
          dataset: network_traffic.dhcpv4
          type: logs
        ports:
          - 67
          - 68

diff --git a/packages/network_traffic/data_stream/dhcpv4/agent/stream/dhcpv4.yml.hbs b/packages/network_traffic/data_stream/dhcpv4/agent/stream/dhcpv4.yml.hbs
index 3856fc4d9..dba4a3a7b 100644
--- a/packages/network_traffic/data_stream/dhcpv4/agent/stream/dhcpv4.yml.hbs
+++ b/packages/network_traffic/data_stream/dhcpv4/agent/stream/dhcpv4.yml.hbs
@@ -1,5 +1,12 @@
 type: dhcpv4
-ports: [{{port}}]
+
+{{#if port}}
+ports:
+{{#each port as |p|}}
+  - {{p}}
+{{/each}}
+{{/if}}
+
 {{#if keep_null}}
 keep_null: {{keep_null}}
 {{/if}}
diff --git a/packages/network_traffic/data_stream/dhcpv4/manifest.yml b/packages/network_traffic/data_stream/dhcpv4/manifest.yml
index 8e5ff7b20..646b0cc19 100644
--- a/packages/network_traffic/data_stream/dhcpv4/manifest.yml
+++ b/packages/network_traffic/data_stream/dhcpv4/manifest.yml
@@ -5,14 +5,14 @@ streams:
   - input: packet
     vars:
       - name: port
-        type: integer
+        type: text
         # currently the Kibana UI doesn't support multi inputs
         # that are numeric, you get "Error: r.toLowerCase is not a function"
-        # multi: true
-        title: Port
+        multi: true
+        title: Ports
         required: true
         show_user: true
-        default: 67 # default: [67, 68]
+        default: [67, 68]
       - name: keep_null
         type: bool
         title: Keep Null

[efd6]

I'm convinced I tried this; obviously not.

[efd6]

Locally, this works for all of the data streams except http and redis. I have done a fair amount of surgical dissection, but have not been able to find the difference between it and the multiport data streams that do work. I'm pushing to see if this is just a local issue; nope also fails, but differently — it appears 8.2 validates and fails out early while 7.17 forges ahead fruitlessly.

The error that is reported is what I was getting previously:

{
   "statusCode":400,
   "error":"Bad Request",
   "message":"Package policy is invalid: inputs.packet.streams.network_traffic.http.vars.port: Invalid format"
}

Because it's being rejected, I'm not sure how to check what it thinks it is being told.

This was resolved by monkeying in the running kibana container with

sed -i "s/'Invalid format'/'Invalid format: '+String(parsedValue)+' ('+Object.prototype.toString.call(parsedValue)+')'/" x-pack/plugins/fleet/common/services/validate_package_policy.js

(there is no vi in the container)

and restarting the container to see the value that it's being given. This showed that the values were scalars. These were coming from the test configs.

[efd6]

🎉