-
Notifications
You must be signed in to change notification settings - Fork 407
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[winlog] Convert to an input package. #8010
Conversation
dc3f4b8
to
1a80271
Compare
1a80271
to
fe3980b
Compare
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I want you to be aware of https://github.com/elastic/fleet-winlog-7x-policies. It was created to support a user that needed edge processing (until LS can run Fleet integration pipelines). That project should be updated to ensure that the package policies can continue to be installed.
Added a PR to that repo that can be merged after this one 👍 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Have you performed an upgrade test where you have winlog 1.20.0 installed, and then upgrade to this new version and everything keeps functioning?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we change the type of event.module
to keyword? I have heard from users that constant_keyword
is a problem for uses cases where this input is used to ingest data from custom channels, and they want to make the data look like our other integrations (e.g. event.module: security
).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I added dynamic ecs mapping, that should take care of this 👍
Yes, tried an upgrade and it kept working normally |
Package winlog - 2.0.0 containing this change is available at https://epr.elastic.co/search?package=winlog |
Full disclosure: I detail this further in the official Elastic support portal under case #01610754. Noticing an issue on a fresh stack version 8.12.1 install where the create fleet package policy API for the Data stream backing index template "logs-winlog.winlog", an ingest pipeline, and component templates "logs-winlog.winlog@package" and "logs-winlog.winlog@custom" are not loaded with an apparent Kibana log message error which reads:
Did a manual upload of GET .kibana_ingest/_search?q=epm-packages.name:winlog
{
"took": 1,
"timed_out": false,
"_shards": {
"total": 1,
"successful": 1,
"skipped": 0,
"failed": 0
},
"hits": {
"total": {
"value": 1,
"relation": "eq"
},
"max_score": 1.3862942,
"hits": [
{
"_index": ".kibana_ingest_8.12.1_001",
"_id": "epm-packages:winlog",
"_score": 1.3862942,
"_source": {
"epm-packages": {
"installed_kibana": [],
"installed_kibana_space_id": "default",
"installed_es": [],
"package_assets": [
{
"id": "293a22b2-8e4e-5c7d-8249-6b32a38a651b",
"type": "epm-packages-assets"
},
{
"id": "2367f0f5-ce06-5e20-b9dc-75f5807da180",
"type": "epm-packages-assets"
},
{
"id": "cc49d170-a6c9-56b3-a40f-fa662f700661",
"type": "epm-packages-assets"
},
{
"id": "c9576881-c05a-5c54-99aa-40f2c0fefd7d",
"type": "epm-packages-assets"
},
{
"id": "b3de468f-d2e5-5ab6-9e95-ade91d0371e4",
"type": "epm-packages-assets"
},
{
"id": "d8fb4d51-b5ff-5446-8a75-d9da1ecde649",
"type": "epm-packages-assets"
},
{
"id": "fec7a0e7-5d0a-5ad0-bad3-e6bddc286ccd",
"type": "epm-packages-assets"
},
{
"id": "db6a867f-8dcc-5bac-8289-c20ce3b8bb9f",
"type": "epm-packages-assets"
},
{
"id": "eae37891-e71b-5bad-b369-c717ba725f92",
"type": "epm-packages-assets"
},
{
"id": "ee1dd87b-e640-56d7-a149-7503868a51b3",
"type": "epm-packages-assets"
},
{
"id": "f51e6b17-6813-576d-bbc0-5aa4d35defd7",
"type": "epm-packages-assets"
}
],
"es_index_patterns": {},
"name": "winlog",
"version": "2.1.1",
"install_version": "2.1.1",
"install_status": "installed",
"install_started_at": "2024-04-30T19:26:54.301Z",
"install_source": "upload",
"install_format_schema_version": "1.1.0",
"verification_status": "verified",
"verification_key_id": "d27d666cd88e42b4",
"latest_install_failed_attempts": []
},
"type": "epm-packages",
"references": [],
"managed": false,
"coreMigrationVersion": "8.8.0",
"typeMigrationVersion": "10.1.0",
"updated_at": "2024-04-30T19:26:54.903Z",
"created_at": "2024-04-29T23:46:55.955Z"
}
}
]
}
} Can anyone confirm whether or not they can replicate this issue regarding the PR in subject? |
What does this PR do?
Converts
winlog
package from an integration to an input type package.Removes support for Splunk data stream.
Checklist
changelog.yml
file.Related issues
type: input
#7820Screenshots