[symantec_endpoint] Parse all times relative to configured TZ offset #6509
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Use the configured time zone offset when interpreting all times. Previously only the syslog header and log export header were interpreted using the time zone offset and other times within the event were treated as if the were UTC. Based on new information we now assume that all times are relative to the time zone offset. Fixes elastic#6499
andrewkroh
added a commit
to andrewkroh/integrations
that referenced
this pull request
Jun 8, 2023
[git-generate] cd packages/symantec_endpoint elastic-package changelog add --link elastic#6509 --next patch --type bugfix --description "Parse all times relative to the configuretimezone offset."
andrewkroh
force-pushed
the
symantec_endpoint/bugfix/all-times-tz-offset
branch
from
90461ea
to
273bae2
Compare
[git-generate] cd packages/symantec_endpoint elastic-package changelog add --link elastic#6509 --next patch --type bugfix --description "Parse all times relative to the configuretimezone offset."
andrewkroh
force-pushed
the
symantec_endpoint/bugfix/all-times-tz-offset
branch
from
273bae2
to
cffd5d0
Compare
|
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
💚 Build Succeeded
Expand to view the summary
Build stats
Test stats 🧪
🤖 GitHub commentsExpand to view the GitHub comments
To re-run your PR in the CI, just comment with:
|
efd6
approved these changes
Jun 8, 2023
🌐 Coverage report
|
|
Sorry, I should have marked myself as assigned. |
Will do. Waiting on a few details. #6499 (comment) |
|
What I did was diff --git a/packages/symantec_endpoint/data_stream/log/_dev/test/pipeline/test-policy.log b/packages/symantec_endpoint/data_stream/log/_dev/test/pipeline/test-policy.log
index e25d3a581..6f6dc0796 100644
--- a/packages/symantec_endpoint/data_stream/log/_dev/test/pipeline/test-policy.log
+++ b/packages/symantec_endpoint/data_stream/log/_dev/test/pipeline/test-policy.log
@@ -1 +1,2 @@
Site: SEPSite,Server: exampleHostname,Domain: exampleDomain,Admin: exampleAdmin,Event Description: Policy has been edited: Edited shared Intrusion Prevention policy: SEPPolicyName,SEPPolicyName
+Jun 7 09:16:10 SERVER SymantecServer: DESKTOP,Category: 0,Smc,Event Description: Received a new policy with serial number AB13-05/30/2023 23:01:52 031 from Symantec Endpoint Protection Manager.,Event time: 2023-06-07 09:09:54which gave sensible results. |
Log sample given by the user was from SEP 14.3RU7. It was received over syslog. It appears in the "Client Management Logs" section of the SEP client. It looks like a "Policy log" so that's how I named the file, but I'm not confident so I didn't not edit the pipeline to apply event.provider: Policy Log to the event. The log contained a "group_name" field but we already have a "group" field so I made a pipeline change so that it becomes `symantec_endpoint.log.group`.
|
Package symantec_endpoint - 2.6.1 containing this change is available at https://epr.elastic.co/search?package=symantec_endpoint |
1 similar comment
|
Package symantec_endpoint - 2.6.1 containing this change is available at https://epr.elastic.co/search?package=symantec_endpoint |
sodhikirti07
pushed a commit
that referenced
this pull request
Jun 15, 2023
…6509) * symantec_endpoint - parse all times relative to configured TZ offset Use the configured time zone offset when interpreting all times. Previously only the syslog header and log export header were interpreted using the time zone offset and other times within the event were treated as if the were UTC. Based on new information we now assume that all times are relative to the time zone offset. Fixes #6499 * Add test case Log sample given by the user was from SEP 14.3RU7. It was received over syslog. It appears in the "Client Management Logs" section of the SEP client. It looks like a "Policy log" so that's how I named the file, but I'm not confident so I didn't not edit the pipeline to apply event.provider: Policy Log to the event. The log contained a "group_name" field but we already have a "group" field so I made a pipeline change so that it becomes `symantec_endpoint.log.group`.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What does this PR do?
Use the configured time zone offset when interpreting all times. Previously only the syslog header and log export header were interpreted using the time zone offset and other times within the event were treated as if the were UTC. Based on new information we now assume that all times are relative to the time zone offset.
Fixes #6499
Checklist
changelog.ymlfile.