New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
checkpoint: avoid data loss from loguid collisions #6483
Conversation
Because Checkpoint reuse loguids, it is possible for two logged events to be given the same fingerprint. So use the segment_time as well in the fingerprint args. Also document that if collisions are important, the user should enable semi-unified logging on the device's dashboard.
🌐 Coverage report
|
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Minor clarification. LGTM 👍🏼
In some instances firewall events may have the same Checkpoint `loguid` and arrive during the same timestamp resulting in a fingerprint collision. To avoid this [enable semi-unified logging](https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_LoggingAndMonitoring_AdminGuide/Topics-LMG/Log-Exporter-Appendix.htm?TocPath=Log%20Exporter%7C_____9) in the Checkpoint dashboard. | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does it make sense to add this bit to Troubleshooting
section instead? or does it look good here?
https://github.com/elastic/integrations/blob/main/docs/documentation_guidelines.md#troubleshooting
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The intention is that this be considered at set-up so that users don't need to get to the stage of trouble-shooting.
Package checkpoint - 1.22.0 containing this change is available at https://epr.elastic.co/search?package=checkpoint |
Because Checkpoint reuse loguids, it is possible for two logged events to be given the same fingerprint. So use the segment_time as well in the fingerprint args. Also document that if collisions are important, the user should enable semi-unified logging on the device's dashboard.
What does this PR do?
Because Checkpoint reuse loguids, it is possible for two logged events to be given the same fingerprint. So use the segment_time as well in the fingerprint args. Also document that if collisions are important, the user should enable semi-unified logging on the device's dashboard.
Checklist
changelog.yml
file.Author's Checklist
How to test this PR locally
Related issues
Screenshots