Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Suricata] Add Observer Metadata #6985

Merged
merged 24 commits into from
Oct 3, 2023
Merged

[Suricata] Add Observer Metadata #6985

merged 24 commits into from
Oct 3, 2023

Conversation

MakoWish
Copy link
Contributor

@MakoWish MakoWish commented Jul 17, 2023
edited
Loading

Type of change

  • Enhancement

What does this PR do?

The Suricata integration currently supports removing host.* fields if "forwarded" is in tags, but it does not currently populate the observer.* fields. This PR adds that functionality.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have incremented the version my package's manifest.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.

Author's Checklist

  • Modify default documents config to include "forwarded" tag
  • Verify expected results documents include new observer.* fields

Related issues

@MakoWish MakoWish marked this pull request as ready for review July 17, 2023 19:19
@MakoWish MakoWish requested a review from a team as a code owner July 17, 2023 19:19
@elasticmachine
Copy link

elasticmachine commented Jul 17, 2023
edited
Loading

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS
Pipeline View Test View Changes Artifacts preview preview

Expand to view the summary

Build stats

  • Start Time: 2023-10-03T00:49:57.963+0000

  • Duration: 14 min 28 sec

Test stats 🧪

Test Results
Failed 0
Passed 14
Skipped 0
Total 14

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

  • /test : Re-trigger the build.

MakoWish and others added 4 commits July 17, 2023 16:52
@MakoWish @efd6
Suggested change from code review
1d78981 
Co-authored-by: Dan Kortschak <90160302+efd6@users.noreply.github.com>
@MakoWish @efd6
Suggested change from code review
0365e64 
Co-authored-by: Dan Kortschak <90160302+efd6@users.noreply.github.com>
@MakoWish
Set "observer" tag on only a couple sample logs
fb99600
@MakoWish
Merge branch 'suricata_add_observer_metadata' of https://github.com/M…
6c43788 
…akoWish/integrations into suricata_add_observer_metadata
@elasticmachine
Copy link

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

@MakoWish MakoWish changed the title Suricata add observer metadata [Suricata] Add Observer Metadata Jul 20, 2023
@efd6
Copy link
Contributor

efd6 commented Jul 30, 2023

/test

@elasticmachine
Copy link

elasticmachine commented Jul 30, 2023
edited
Loading

🌐 Coverage report

Name Metrics % (covered/total) Diff
Packages 100.0% (1/1) 💚
Files 100.0% (5/5) 💚
Classes 100.0% (5/5) 💚
Methods 100.0% (44/44) 💚 8.333
Lines 96.204% (887/922) 👎 -0.44
Conditionals 100.0% (0/0) 💚

efd6
efd6 reviewed Jul 31, 2023
View reviewed changes
Copy link
Contributor

@efd6 efd6 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

minor nit and then LGTM

packages/suricata/data_stream/eve/_dev/test/pipeline/test-eve-alerts.log-config.yml Show resolved Hide resolved
packages/suricata/data_stream/eve/_dev/test/pipeline/test-eve-small.log-config.yml Show resolved Hide resolved
MakoWish and others added 2 commits July 31, 2023 08:35
@MakoWish @efd6
Commit suggested change from code review
6b21ef5 
Co-authored-by: Dan Kortschak <90160302+efd6@users.noreply.github.com>
@MakoWish
Merge branch 'main' into suricata_add_observer_metadata
ab44513
@MakoWish
Copy link
Contributor Author

@efd6 ,

Would you mind kicking off a /test?

@efd6
Copy link
Contributor

efd6 commented Aug 28, 2023

/test

@MakoWish @efd6
Update packages/suricata/manifest.yml
cfe6d7f 
Co-authored-by: Dan Kortschak <90160302+efd6@users.noreply.github.com>
@botelastic
Copy link

botelastic bot commented Sep 28, 2023

Hi! We just realized that we haven't looked into this PR in a while. We're sorry! We're labeling this issue as Stale to make it hit our filters and make sure we get back to it as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1. Thank you for your contribution!

@botelastic botelastic bot added the Stalled label Sep 28, 2023
@botelastic botelastic bot removed the Stalled label Sep 28, 2023
@efd6
Copy link
Contributor

efd6 commented Sep 28, 2023

/test

@efd6
Copy link
Contributor

efd6 commented Sep 28, 2023

You'll need to run elastic-package test pipeline -g.

@MakoWish
Copy link
Contributor Author

You'll need to run elastic-package test pipeline -g.

I usually do, but looks like I didn't on this one. Done.

@efd6
Copy link
Contributor

efd6 commented Oct 3, 2023

/test

efd6
efd6 approved these changes Oct 3, 2023
View reviewed changes
Copy link
Contributor

@efd6 efd6 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks

@efd6 efd6 merged commit cfbe348 into elastic:main Oct 3, 2023
4 checks passed
@elasticmachine
Copy link

Package suricata - 2.18.0 containing this change is available at https://epr.elastic.co/search?package=suricata

@MakoWish MakoWish deleted the suricata_add_observer_metadata branch October 3, 2023 16:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@efd6 efd6 efd6 approved these changes

Assignees
No one assigned
Labels
Integration:suricata Suricata
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Suricata] Enable observer.* Fields for Integration
4 participants
@MakoWish @elasticmachine @efd6 @jamiehynds