-
Notifications
You must be signed in to change notification settings - Fork 407
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
network_traffic: expose configuration options to users #3157
Conversation
220650d
to
54e96b0
Compare
51157bb
to
35c037f
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is my initial review that was requested, covering mostly just manifest and hbs files.
I think the discussion we had around what should be show_user true
and what should be false
Should simply drill down to this:
-
If the option is usually never used, and usually requires complex configuration, it should not be shown to user (which means it is moved under advanced options).
-
If we end up with a lot of options set to
true
, try to minimize them even more with sane defaults, so that the initial count of available options is low.
Currently it seems to follow this principle, so it's not a comment against the current state of the config, but rather the thought around what should be true
and what should be false
.
{{#if transaction_timeout}} | ||
transaction_timeout: {{transaction_timeout}} | ||
{{/if}} | ||
{{#if index}} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please remove index from all the configs, and change it out with dataset.datastream
ref here: https://github.com/elastic/integrations/blob/main/packages/tcp/data_stream/generic/agent/stream/tcp.yml.hbs#L1
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have removed the data_stream.dataset
since it was causing the tests to fail.
Change here.
{{#each processes}} | ||
- cmdline_grep: {{this}} | ||
{{#each processes as |process|}} | ||
- cmdline_grep: {{process}} | ||
{{/each}} | ||
{{/if}} | ||
{{#if interface}} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please add support for custom processors, similar to here:
https://github.com/elastic/integrations/blob/main/packages/tcp/data_stream/generic/agent/stream/tcp.yml.hbs#L38
@@ -13,7 +13,86 @@ streams: | |||
required: true |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If it does not support multi, it might be wise that we change this to type yaml
, instead of text
or integer
, to allow for array support?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Will that get around the kibana issue?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
When using mutli: true
with type: text
I can still pass numbers through the policy (tested this with tags
). One option could be to change the type to text and forego the number validation until this is fixed. And speaking of fixes, I cannot find an open issue in elastic/kibana for supporting multi + integer, can you please open one, @efd6?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have tried multi: true
with type: text
and I am unable to get this to work; the tests fail with {"statusCode":400,"error":"Bad Request","message":"Package policy is invalid: inputs.packet.streams.network_traffic.http.vars.port: Invalid format"}
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
With tags
the handlebar template uses a for loop to construct the value. Maybe try that format if you haven't already.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes that was one of the many already tried.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Using multi: true
with type: text
and for loop in the Handlebar template is working for me on 7.17.0.
Generated policy:
- id: packet-network-9c3f6353-0533-4ad9-828f-fd99cf93f3f1
name: network_traffic-1
revision: 1
type: packet
use_output: default
meta:
package:
name: network_traffic
version: 0.10.0
data_stream:
namespace: default
streams:
- id: packet-network_traffic.dhcpv4-9c3f6353-0533-4ad9-828f-fd99cf93f3f1
type: dhcpv4
data_stream:
dataset: network_traffic.dhcpv4
type: logs
ports:
- 67
- 68
diff --git a/packages/network_traffic/data_stream/dhcpv4/agent/stream/dhcpv4.yml.hbs b/packages/network_traffic/data_stream/dhcpv4/agent/stream/dhcpv4.yml.hbs
index 3856fc4d9..dba4a3a7b 100644
--- a/packages/network_traffic/data_stream/dhcpv4/agent/stream/dhcpv4.yml.hbs
+++ b/packages/network_traffic/data_stream/dhcpv4/agent/stream/dhcpv4.yml.hbs
@@ -1,5 +1,12 @@
type: dhcpv4
-ports: [{{port}}]
+
+{{#if port}}
+ports:
+{{#each port as |p|}}
+ - {{p}}
+{{/each}}
+{{/if}}
+
{{#if keep_null}}
keep_null: {{keep_null}}
{{/if}}
diff --git a/packages/network_traffic/data_stream/dhcpv4/manifest.yml b/packages/network_traffic/data_stream/dhcpv4/manifest.yml
index 8e5ff7b20..646b0cc19 100644
--- a/packages/network_traffic/data_stream/dhcpv4/manifest.yml
+++ b/packages/network_traffic/data_stream/dhcpv4/manifest.yml
@@ -5,14 +5,14 @@ streams:
- input: packet
vars:
- name: port
- type: integer
+ type: text
# currently the Kibana UI doesn't support multi inputs
# that are numeric, you get "Error: r.toLowerCase is not a function"
- # multi: true
- title: Port
+ multi: true
+ title: Ports
required: true
show_user: true
- default: 67 # default: [67, 68]
+ default: [67, 68]
- name: keep_null
type: bool
title: Keep Null
35c037f
to
dac901b
Compare
dac901b
to
14dda19
Compare
14dda19
to
b5a21ed
Compare
🌐 Coverage report
|
3ad6265
to
3ee3614
Compare
packages/network_traffic/data_stream/amqp/agent/stream/amqp.yml.hbs
Outdated
Show resolved
Hide resolved
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
@@ -13,7 +13,86 @@ streams: | |||
required: true |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
When using mutli: true
with type: text
I can still pass numbers through the policy (tested this with tags
). One option could be to change the type to text and forego the number validation until this is fixed. And speaking of fixes, I cannot find an open issue in elastic/kibana for supporting multi + integer, can you please open one, @efd6?
b14f81e
to
3670582
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The current state looks very good. I would like to get the port issue resolved since that will make this much more usable. Can you try repeating my results with the provided diff.
@@ -13,7 +13,86 @@ streams: | |||
required: true |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Using multi: true
with type: text
and for loop in the Handlebar template is working for me on 7.17.0.
Generated policy:
- id: packet-network-9c3f6353-0533-4ad9-828f-fd99cf93f3f1
name: network_traffic-1
revision: 1
type: packet
use_output: default
meta:
package:
name: network_traffic
version: 0.10.0
data_stream:
namespace: default
streams:
- id: packet-network_traffic.dhcpv4-9c3f6353-0533-4ad9-828f-fd99cf93f3f1
type: dhcpv4
data_stream:
dataset: network_traffic.dhcpv4
type: logs
ports:
- 67
- 68
diff --git a/packages/network_traffic/data_stream/dhcpv4/agent/stream/dhcpv4.yml.hbs b/packages/network_traffic/data_stream/dhcpv4/agent/stream/dhcpv4.yml.hbs
index 3856fc4d9..dba4a3a7b 100644
--- a/packages/network_traffic/data_stream/dhcpv4/agent/stream/dhcpv4.yml.hbs
+++ b/packages/network_traffic/data_stream/dhcpv4/agent/stream/dhcpv4.yml.hbs
@@ -1,5 +1,12 @@
type: dhcpv4
-ports: [{{port}}]
+
+{{#if port}}
+ports:
+{{#each port as |p|}}
+ - {{p}}
+{{/each}}
+{{/if}}
+
{{#if keep_null}}
keep_null: {{keep_null}}
{{/if}}
diff --git a/packages/network_traffic/data_stream/dhcpv4/manifest.yml b/packages/network_traffic/data_stream/dhcpv4/manifest.yml
index 8e5ff7b20..646b0cc19 100644
--- a/packages/network_traffic/data_stream/dhcpv4/manifest.yml
+++ b/packages/network_traffic/data_stream/dhcpv4/manifest.yml
@@ -5,14 +5,14 @@ streams:
- input: packet
vars:
- name: port
- type: integer
+ type: text
# currently the Kibana UI doesn't support multi inputs
# that are numeric, you get "Error: r.toLowerCase is not a function"
- # multi: true
- title: Port
+ multi: true
+ title: Ports
required: true
show_user: true
- default: 67 # default: [67, 68]
+ default: [67, 68]
- name: keep_null
type: bool
title: Keep Null
I'm convinced I tried this; obviously not. |
3670582
to
a4645c3
Compare
Locally, this works for all of the data streams except http and redis. I have done a fair amount of surgical dissection, but have not been able to find the difference between it and the multiport data streams that do work. I'm pushing to see if this is just a local issue; nope also fails, but differently — it appears 8.2 validates and fails out early while 7.17 forges ahead fruitlessly. The error that is reported is what I was getting previously:
Because it's being rejected, I'm not sure how to check what it thinks it is being told. This was resolved by monkeying in the running kibana container with
(there is no and restarting the container to see the value that it's being given. This showed that the values were scalars. These were coming from the test configs. |
[git-generate] go run github.com/efd6/generatentconf@4016d320082df0f9ecba567a6115a2e4966d1b98 -root packages/network_traffic
212952f
to
875c0f8
Compare
🎉 |
What does this PR do?
This exposes the majority of available configuration options for the network traffic data streams and removes the command line grep process name rewrite configuration.
Checklist
changelog.yml
file.Author's Checklist
How to test this PR locally
elastic-package test
in packages/network_traffic.Related issues
Screenshots
Single example:
![Screen Shot 2022-05-06 at 18 18 00](https://user-images.githubusercontent.com/90160302/167099102-73852671-da73-40f0-9187-92ed4f8b20cb.png)