-
Notifications
You must be signed in to change notification settings - Fork 392
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[symantec_endpoint] Parse all times relative to configured TZ offset #6509
[symantec_endpoint] Parse all times relative to configured TZ offset #6509
Conversation
Use the configured time zone offset when interpreting all times. Previously only the syslog header and log export header were interpreted using the time zone offset and other times within the event were treated as if the were UTC. Based on new information we now assume that all times are relative to the time zone offset. Fixes elastic#6499
[git-generate] cd packages/symantec_endpoint elastic-package changelog add --link elastic#6509 --next patch --type bugfix --description "Parse all times relative to the configuretimezone offset."
90461ea
to
273bae2
Compare
[git-generate] cd packages/symantec_endpoint elastic-package changelog add --link elastic#6509 --next patch --type bugfix --description "Parse all times relative to the configuretimezone offset."
273bae2
to
cffd5d0
Compare
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You beat me by a couple of minutes. Can we add the second case provided in the issue as a test?
🌐 Coverage report
|
Sorry, I should have marked myself as assigned. |
Will do. Waiting on a few details. #6499 (comment) |
What I did was diff --git a/packages/symantec_endpoint/data_stream/log/_dev/test/pipeline/test-policy.log b/packages/symantec_endpoint/data_stream/log/_dev/test/pipeline/test-policy.log
index e25d3a581..6f6dc0796 100644
--- a/packages/symantec_endpoint/data_stream/log/_dev/test/pipeline/test-policy.log
+++ b/packages/symantec_endpoint/data_stream/log/_dev/test/pipeline/test-policy.log
@@ -1 +1,2 @@
Site: SEPSite,Server: exampleHostname,Domain: exampleDomain,Admin: exampleAdmin,Event Description: Policy has been edited: Edited shared Intrusion Prevention policy: SEPPolicyName,SEPPolicyName
+Jun 7 09:16:10 SERVER SymantecServer: DESKTOP,Category: 0,Smc,Event Description: Received a new policy with serial number AB13-05/30/2023 23:01:52 031 from Symantec Endpoint Protection Manager.,Event time: 2023-06-07 09:09:54 which gave sensible results. |
Log sample given by the user was from SEP 14.3RU7. It was received over syslog. It appears in the "Client Management Logs" section of the SEP client. It looks like a "Policy log" so that's how I named the file, but I'm not confident so I didn't not edit the pipeline to apply event.provider: Policy Log to the event. The log contained a "group_name" field but we already have a "group" field so I made a pipeline change so that it becomes `symantec_endpoint.log.group`.
Package symantec_endpoint - 2.6.1 containing this change is available at https://epr.elastic.co/search?package=symantec_endpoint |
1 similar comment
Package symantec_endpoint - 2.6.1 containing this change is available at https://epr.elastic.co/search?package=symantec_endpoint |
…6509) * symantec_endpoint - parse all times relative to configured TZ offset Use the configured time zone offset when interpreting all times. Previously only the syslog header and log export header were interpreted using the time zone offset and other times within the event were treated as if the were UTC. Based on new information we now assume that all times are relative to the time zone offset. Fixes #6499 * Add test case Log sample given by the user was from SEP 14.3RU7. It was received over syslog. It appears in the "Client Management Logs" section of the SEP client. It looks like a "Policy log" so that's how I named the file, but I'm not confident so I didn't not edit the pipeline to apply event.provider: Policy Log to the event. The log contained a "group_name" field but we already have a "group" field so I made a pipeline change so that it becomes `symantec_endpoint.log.group`.
What does this PR do?
Use the configured time zone offset when interpreting all times. Previously only the syslog header and log export header were interpreted using the time zone offset and other times within the event were treated as if the were UTC. Based on new information we now assume that all times are relative to the time zone offset.
Fixes #6499
Checklist
changelog.yml
file.