[Zeek] Moving edge processing to ingest pipelines #895

P1llus · 2021-04-07T15:39:40Z

What does this PR do?

This PR moves all edge processing for the zeek filesets to ES ingest pipelines, adds pipeline tests to each fileset, and adds splunk data to each fileset golden files to test.

Checklist

I have reviewed tips for building integrations and this pull request is aligned with them.
I have verified that all data streams collect metrics or logs.
I have added an entry to my package's changelog.yml file.

Related issues

Closes Convert Zeek's edge processing to Ingest Node pipeline #664

… pipeline

…f .f is dot expanded or not

P1llus · 2021-04-08T17:05:03Z

On the topic of splitting out the splunk specific parts into a specific pipeline, we decided to move that to a separate PR, once we have the possibility to store a single pipeline that can be shared between filesets.

leehinman · 2021-04-08T20:38:45Z

I tried a diff noticed a couple of things ( diff src )
zeek.irc.command is missing
zeek.irc.user is difference
zeek.notice.actions is new
zeek.notice.suppress_for now has decimal point
in http url.port removed
in http url.path added
in dhcp destination.port changed to 68
zeek.dhcp.domain missing
zeek.dhcp.lease_time now has decimal point
zeek.files.duration now has decimal point
zeek.files.md5 missing
zeek.files.mime_type missing
zeek.files.sha1 missing
and dns is different but I think that is expected.

P1llus · 2021-04-12T09:40:12Z

I tried a diff noticed a couple of things ( diff src )
zeek.irc.command is missing
zeek.irc.user is difference
zeek.notice.actions is new
zeek.notice.suppress_for now has decimal point
in http url.port removed
in http url.path added
in dhcp destination.port changed to 68
zeek.dhcp.domain missing
zeek.dhcp.lease_time now has decimal point
zeek.files.duration now has decimal point
zeek.files.md5 missing
zeek.files.mime_type missing
zeek.files.sha1 missing
and dns is different but I think that is expected.

Thanks for taking the time @leehinman . I think what happen here is that I renamed a few that was originally "converted". I was a bit unsure why we store the same data in both zeek fields and ECS fields. I am going through all the logs now and fixing up the small bits and pieces.

P1llus · 2021-04-13T10:43:39Z

Manually went through all the golden files and applied some small fixes. The DNS fileset can still be ignored for now.

The only issue left is a few float values that does not want to convert, so I removed the convert processors for now, maybe someone else has an idea, the issues are in:

zeek.dhcp.duration
zeek.dhcp.lease_time
zeek.notice.suppress_for
zeek.files.duration

Running a convert processor with type long on these would return errors like:
zeek/files test-files.log:
[0] unexpected pipeline error: For input string: \"0.0\"
[1] unexpected pipeline error: For input string: \"5.316734313964844E-5\"
zeek/notice test-notice.log:
[0] unexpected pipeline error: For input string: \"3600.0\"
zeek/files test-files.log:
[0] unexpected pipeline error: For input string: \"0.0\"
[1] unexpected pipeline error: For input string: \"5.316734313964844E-5\"
zeek/notice test-notice.log:
[0] unexpected pipeline error: For input string: \"3600.0\"

P1llus · 2021-04-13T12:12:43Z

Any handling of event.original, duplicate fields etc discussed earlier will be handled in a separate PR to this.

andrewkroh · 2021-04-13T14:09:09Z

The only issue left is a few float values that does not want to convert, so I removed the convert processors for now, maybe someone else has an idea, the issues are in:

I did a quick test with convert and had no issues with those float values as inputs. Are the quotes part of the input value?

{
  "docs": [
    {
      "doc": {
        "_index": "_index",
        "_id": "_id",
        "_source": {
          "float_output": 0.000053167343,
          "float_in": "5.316734313964844E-5"
        },
        "_ingest": {
          "timestamp": "2021-04-13T14:06:12.744211906Z"
        }
      }
    },
    {
      "doc": {
        "_index": "_index",
        "_id": "_id",
        "_source": {
          "float_output": 0,
          "float_in": "0.0"
        },
        "_ingest": {
          "timestamp": "2021-04-13T14:06:12.744218811Z"
        }
      }
    },
    {
      "doc": {
        "_index": "_index",
        "_id": "_id",
        "_source": {
          "float_output": 3600,
          "float_in": "3600.0"
        },
        "_ingest": {
          "timestamp": "2021-04-13T14:06:12.744221446Z"
        }
      }
    }
  ]
}

andrewkroh

Nice work, this is a big undertaking. Apart from DNS changes that are pending, LGTM.

leehinman · 2021-04-13T22:27:41Z

LGTM. awesome work.

P1llus · 2021-04-23T19:14:38Z

jenkins run tests

…x the CI issues

* update capture_loss dataset * update capture_loss fileset * adding updates to connection fileset * updating capture_loss and connection pipeline, adding updated dce_rpc pipeline * updating dhcp fileset, renaming some test files as well * adding updates to dnp3 fileset * adding unfinished dns fileset, waiting for registered_domain processor * updating dpd pipeline and removing edge processors * updating files pipeline and removing edge processors * updating ftp pipeline and removing edge processors * updating http pipeline and removing edge processors * updating intel pipeline and removing edge processors * updating irc pipeline and removing edge processors * updating kerberos pipeline and removing edge processors * updating modbus pipeline and removing edge processors * updating mysql pipeline and removing edge processors * updating notice pipeline and removing edge processors, unsure about if .f is dot expanded or not * updating ntlm pipeline and removing edge processors * updating ocsp pipeline and removing edge processors * updating pe pipeline and removing edge processors * updating radius pipeline and removing edge processors * updating rdp pipeline and removing edge processors * updating rfb pipeline and removing edge processors * updating sip pipeline and removing edge processors * updating smb_cmd pipeline and removing edge processors * updating smb_files pipeline and removing edge processors * updating smb_mapping pipeline and removing edge processors * updating smtp pipeline and removing edge processors * updating snmp pipeline and removing edge processors * updating socks pipeline and removing edge processors * updating ssh pipeline and removing edge processors * updating ssl pipeline and removing edge processors * updating stats pipeline and removing edge processors * updating syslog pipeline and removing edge processors * updating traceroute pipeline and removing edge processors * updating tunnel pipeline and removing edge processors * updating tunnel pipeline and removing edge processors * updating weird pipeline and removing edge processors * updating x509 pipeline and removing edge processors * Cleaning up all filesets to make it more consistent, fixed some typos and added more test data * update changelog * applying small fixes to all the filesets * moving edge processing to ingest pipeline for dns fileset * moving edge processing to ingest pipeline for dns fileset * moving edge processing to ingest pipeline for dns fileset * elastic-package format * remove underscore from testfile names to pass elastic-package check * updating golden files for geo changes * updating golden files for geo changes * update golden files * updating dynamic fields with geo fields as well, to pass CI * adding all geo and as fields to dynamic fields * reverting dynamic field changes and resolving issue in CI * merging with master and updating the golden files one last time to fix the CI issues * updating non existent port in test logs

P1llus added 30 commits March 29, 2021 13:09

update capture_loss dataset

e16eaef

update capture_loss fileset

6c42f97

adding updates to connection fileset

e44a626

updating capture_loss and connection pipeline, adding updated dce_rpc…

bcaf18a

… pipeline

updating dhcp fileset, renaming some test files as well

2aebc73

adding updates to dnp3 fileset

3d826e5

adding unfinished dns fileset, waiting for registered_domain processor

edbf5c4

updating dpd pipeline and removing edge processors

dfb898e

updating files pipeline and removing edge processors

9eb1b15

updating ftp pipeline and removing edge processors

287803e

updating http pipeline and removing edge processors

a57f823

updating intel pipeline and removing edge processors

9bfab73

updating irc pipeline and removing edge processors

7d17dbf

updating kerberos pipeline and removing edge processors

7e99433

updating modbus pipeline and removing edge processors

ec2ab75

updating mysql pipeline and removing edge processors

57108bb

updating notice pipeline and removing edge processors, unsure about i…

bfb5859

…f .f is dot expanded or not

updating ntlm pipeline and removing edge processors

456c470

updating ocsp pipeline and removing edge processors

8f719eb

updating pe pipeline and removing edge processors

9cd1d18

updating radius pipeline and removing edge processors

fc88177

updating rdp pipeline and removing edge processors

7a04002

updating rfb pipeline and removing edge processors

fc77a52

updating sip pipeline and removing edge processors

da73277

updating smb_cmd pipeline and removing edge processors

a142256

updating smb_files pipeline and removing edge processors

244b743

updating smb_mapping pipeline and removing edge processors

c0f4b31

updating smtp pipeline and removing edge processors

c3f8c04

updating snmp pipeline and removing edge processors

2e815aa

updating socks pipeline and removing edge processors

0e7873d

applying small fixes to all the filesets

ebe1eae

andrewkroh reviewed Apr 13, 2021

View reviewed changes

P1llus added 6 commits April 19, 2021 14:00

moving edge processing to ingest pipeline for dns fileset

0f9c831

moving edge processing to ingest pipeline for dns fileset

fc0a17d

moving edge processing to ingest pipeline for dns fileset

4f2def7

elastic-package format

9cc67a4

remove underscore from testfile names to pass elastic-package check

b5ae6de

updating golden files for geo changes

8ab9ad7

andrewkroh approved these changes Apr 19, 2021

View reviewed changes

P1llus added 7 commits April 20, 2021 09:42

Merge branch 'master' into package_zeek_remove_edge_processing

773c52f

updating golden files for geo changes

7a50833

Merge branch 'master' into package_zeek_remove_edge_processing

f3b75c1

update golden files

99eb1a3

updating dynamic fields with geo fields as well, to pass CI

429829b

adding all geo and as fields to dynamic fields

e6e1ebc

reverting dynamic field changes and resolving issue in CI

e299b05

P1llus added 3 commits April 23, 2021 21:48

Merge branch 'master' into package_zeek_remove_edge_processing

0318dfa

merging with master and updating the golden files one last time to fi…

cb432a2

…x the CI issues

updating non existent port in test logs

7cfdf7e

P1llus merged commit 1c19f76 into elastic:master Apr 23, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Zeek] Moving edge processing to ingest pipelines #895

[Zeek] Moving edge processing to ingest pipelines #895

P1llus commented Apr 7, 2021 •

edited

P1llus commented Apr 8, 2021

leehinman commented Apr 8, 2021

P1llus commented Apr 12, 2021

P1llus commented Apr 13, 2021

P1llus commented Apr 13, 2021

andrewkroh commented Apr 13, 2021

andrewkroh left a comment

leehinman commented Apr 13, 2021

P1llus commented Apr 23, 2021

[Zeek] Moving edge processing to ingest pipelines #895

[Zeek] Moving edge processing to ingest pipelines #895

Conversation

P1llus commented Apr 7, 2021 • edited

What does this PR do?

Checklist

Related issues

P1llus commented Apr 8, 2021

leehinman commented Apr 8, 2021

P1llus commented Apr 12, 2021

P1llus commented Apr 13, 2021

P1llus commented Apr 13, 2021

andrewkroh commented Apr 13, 2021

andrewkroh left a comment

Choose a reason for hiding this comment

leehinman commented Apr 13, 2021

P1llus commented Apr 23, 2021

P1llus commented Apr 7, 2021 •

edited