[Infoblox NIOS] Update timestamp parsing logic #8767
Conversation
🚀 Benchmarks reportTo see the full report comment with |
|
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
| - remove: | ||
| field: event.created | ||
| ignore_missing: true |
There was a problem hiding this comment.
Should this deletion also happen in the next date processor?
There was a problem hiding this comment.
I've made logic bit clearer and this is irrelevant now.
I've made commit message more clearer. Let me know if that explains the issue. Thanks! |
|
Package infoblox_nios - 1.19.3 containing this change is available at https://epr.elastic.co/search?package=infoblox_nios |
* upstream/main: (117 commits) [TI MISP] Add IOC expiration support (#8639) Add CSPM Rules 6.2, 6.3 and 6.4 (#8778) [Infoblox NIOS] Update timestamp parsing logic (#8767) [Rapid7 InsightVM] Split vulnerability categories into array (#8768) [Exchange Online Message Trace] Add Additional Look-back Time & Fix Cursor Value (#8717) [Buildkite] Update bucket settings (#8765) Remove Jenkins .ci folder (#8766) First part of removal of Jenkins jobs (#8763) misp: parse URIs for URI type threats (#8760) [amazon_security_lake] Added support for all the OCSF Classes (#8579) [Buildkite] Update settings for integrations pipeline (#8758) [TI ThreatQ] Add IOC expiration support (#8691) [ti_opencti] Support OpenCTI 5.12 by removing filters parameter (#8744) [Cribl] Updating setup guidance for Cribl field (#8746) crowdstrike: add userinfo enrichment support and map fields to ECS (#8742) [etcd] Enable TSDB for metrics datastream (#8649) Bump golang.org/x/crypto from 0.16.0 to 0.17.0 (#8749) auditd: relax field_split pattern and handle AVC header (#8748) Update cloud packages codeowner (#8672) [O11Y] [AWS Billing] Convert "Total Estimated Charges" visualization to new metric (#8509) ...
Proposed commit message
There are 2 style of log formats (regards to how timestamps are handled).
<29>Mar 21 09:53:51 infoblox.localdomain httpd[]: 2022-03-18 13:24:41.705Z [admin]: ........<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[2567]: ............Event 1: Contains 2 timestamps inside the log. In current default pipeline, the first timestamp
Mar 21 09:53:51is set asevent.createdand then individual pipelines sets second timestamp as@timestampif present.Event 2: Contains 1 timestamp inside the log. In current default pipeline, the only timestamp
Mar 27 08:32:59is set asevent.createdand a set processor copies that into@timestampif@timestampis not already present from individual pipelines.But, when Logstash is involved in between Agent and Elasticsearch, it adds
@timestampto the event before ingest pipeline. Hence, the logs format 2, i.e., containing single timestamp, skips the set processor leading to incorrect@timestampvalues and also not conforming to ECS norm @timestamp < event.created < event.ingested.This PR fixes the problem by:
@timestampinside them.override: truein the default pipeline, thus overriding the value of@timestampwith event's timestamp.Checklist
changelog.ymlfile.How to test this PR locally
elastic-package stack down && elastic-package build && elastic-package stack up --version=8.11.0 -d -v --services=elasticsearch && eval "$(elastic-package stack shellinit)" && elastic-package test pipeline --generate -v