New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[IIS] Add regex and tests for Exchange logs #7559
Conversation
Thanks for the PR @LaZyDK. A member of @SubhrataK team will review, as the integration is owned by them. |
/test |
🌐 Coverage report
|
Ready for another test @aliabbas-elastic |
/test |
Please run another test now. |
/test |
This was better. Thanks :) |
Ready for review. |
@LaZyDK - Is this something that comes as a default log format from the exchange server logs? If we are adding the |
@muthu-mps I do believe that this is a default log, as I am seeing this at multiple customers. |
Any updates on this one? |
Fixed conflicts. |
/test |
Merge? |
Is this alright? |
The field change you have made is s-computename as per this commit. When looking into the IIS server the Please look at the pattern with server_name below,
and the sample-event.json with server_name is, Considering the |
In my opinion we cannot ignore this GROK pattern, as the one you mention is only used if site_name is also present. Keep in mind that my GROK statement covers the default field order for the Exchange server. Also, the server_name in that particular GROK pattern should be mapped to host.name. |
okay, Let me review and add my comments. |
packages/iis/data_stream/access/elasticsearch/ingest_pipeline/default.yml
Outdated
Show resolved
Hide resolved
Co-authored-by: muthu-mps <101238137+muthu-mps@users.noreply.github.com>
…default.yml Co-authored-by: muthu-mps <101238137+muthu-mps@users.noreply.github.com>
packages/iis/data_stream/access/_dev/test/pipeline/test-iis10-access.log-expected.json
Show resolved
Hide resolved
Ready for test |
Test? |
Resolved conflicts. Fixed errors relating to 8.7+. |
Test? |
packages/iis/data_stream/access/_dev/test/pipeline/test-iis-8.log-expected.json
Outdated
Show resolved
Hide resolved
Ready for test |
/test |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM!
Package iis - 1.17.0 containing this change is available at https://epr.elastic.co/search?package=iis |
What does this PR do?
Providing regex and tests for Exchange logs running on IIS 10.0.
If servername if present, set fields
host.name
andrelated.hosts
to conform to ECS.Remove duplicates in
related
fields.Rearrange script needed for #6610 to function.
Extract
user.domain
.Checklist
changelog.yml
file.