Merge pull request #1743 from ashnwade/patch-to-main

Release/v5.8.9: Merge next-patch to main

Author: ashnwade

_static/versions.json

@@ -1,10 +1,14 @@
 [
   {
-    "name": "v5.8.8 (latest)",
-    "version": "v5.8.8",
+    "name": "v5.8.9 (latest)",
+    "version": "v5.8.9",
     "url": "/",
     "preferred": true
   },
+  {
+    "version": "v5.8.8",
+    "url": "/v5.8.8/"
+  },
   {
     "version": "v5.8.7",
     "url": "/v5.8.7/"

changelog/5.8.9.md

@@ -0,0 +1,57 @@
+# Changelog for version 5.8.9
+
+## Released 11 December 2025
+
+## Gravwell
+
+```{attention}
+This release contains a high priority bug fix for a security violation where secrets were not properly masked in error messages when running scripts. Secrets may be exposed in notifications or stored in log messages as a result of the script.  See the remediation and validation section below.
+```
+
+### Additions
+
+* Added a flag in the [regex](/search/regex/regex.md) module to enable array mode, which extracts all matches of each capture group into array enumerated values.
+* Added an [`evs_to_json()`](#eval-evs-to-json) function to the eval module to return a JSON object of all the EVs on a given entry.
+
+### Bug Fixes
+
+* Fixed an issue where secrets were not properly masked in error messages when running scripts.
+* Fixed an issue where the tooltip was incorrect for cron specs with multiple hour ranges.
+* Fixed an issue where the webserver could sometimes lock-up when using direct search with a query attempting to write to a read-only resource.
+
+## Ingester Changes
+
+### Additions
+
+* Added a [Regex Replace Preprocessor](/ingesters/preprocessors/regexreplace) to perform regular expression-based find and replace operations on entry data.
+
+### Bug Fixes
+
+* Fixed version numbers on macOS ingesters.
+
+
+## Remediation and Validation
+
+The secret leakage occurs when a script directly embeds a secret into an error message and returns the error during execution.  Secrets are and were properly masked if the error messages were simply printed as debug messages in the script but were not properly masked during the error handling logic.  We have found a few instances where this bug could expose secrets:
+
+1. A script deliberately creates an error message with the embedded secret and returns it.
+2. A script embeds a secret as part of an SQL connection string and then fails to connect to an SQL server then returns the SQL connection error.
+3. A script uses a secret as part of a hostname for a connection string and a DNS lookup fails.
+
+
+Unfortunately error messages from scripts are logged to the `gravwell` tag which further exacerbates the leak.  Gravwell highly recommends users change secrets which have been used in the SQL and network connection strings in scripts.
+
+To validate if secrets have been leaked as a result of scripts returning them in errors, the following query will identify errors strings from scripts:
+
+
+```gravwell
+tag=gravwell syslog -s Appname == searchagent Message == error name error
+| table TIMESTAMP error
+```
+
+
+To check a specific script filter on the name EV. 
+```gravwell
+tag=gravwell syslog -s Appname == searchagent Message == error name=="test" error
+| table TIMESTAMP error
+```

changelog/list.md

@@ -7,7 +7,7 @@
 maxdepth: 1
 caption: Current Release
 ---
-5.8.8 <5.8.8>
+5.8.9 <5.8.9>
 ```
 
 ## Previous Versions
@@ -18,6 +18,7 @@ maxdepth: 1
 caption: Previous Releases
 ---
 
+5.8.8 <5.8.8>
 5.8.7 <5.8.7>
 5.8.6 <5.8.6>
 5.8.5 <5.8.5>

conf.py

@@ -22,7 +22,7 @@
 project = "Gravwell"
 copyright = f"Gravwell, Inc. {date.today().year}"
 author = "Gravwell, Inc."
-release = "v5.8.8"
+release = "v5.8.9"
 
 # Default to localhost:8000, so the version switcher looks OK on livehtml
 version_list_url = os.environ.get(

ingesters/preprocessors/preprocessors.md

@@ -128,6 +128,7 @@ srcrouter <srcrouter>
 tagrouter <tagRouter>
 regextimestamp <regextimestamp>
 regexextract <regexextract>
+regexreplace <regexreplace>
 forwarder <forwarder>
 gravwellforwarder <gravwellforwarder>
 drop <drop>
@@ -150,6 +151,7 @@ plugin <plugin>
 | [tagrouter](tagRouter) | Route entries to specific tags based on the tag, or a combination of tag and either IP address or network |
 | [regextimestamp](regextimestamp) | Perform complex timestamp processing using regular expressions |
 | [regexextract](regexextract) | Perform data extractions and repacking using regular expressions |
+| [regexreplace](regexreplace) | Perform regex-based find and replace operations on entries |
 | [forwarder](forwarder) | Forward entries using TCP or UDP connections |
 | [gravwellforwarder](gravwellforwarder) | Forward entries using a Gravwell ingest connection |
 | [drop](drop) | Simple dropping preprocessor, it stops all entries from moving through the preprocessor chain |

ingesters/preprocessors/regexreplace.md

@@ -0,0 +1,92 @@
+# Regex Replace Preprocessor
+
+The Regex Replace preprocessor performs regular expression-based find and replace operations on entry data. This is useful for sanitizing sensitive data, normalizing log formats, or transforming data before ingestion.
+
+The Regex Replace preprocessor Type is `regexreplace`.
+
+## Supported Options
+
+* `Regex` (string, required): The regular expression pattern to match against entry data. Supports standard Go regular expression syntax including named capture groups.
+* `Replacement` (string, required): The replacement string. Can reference capture groups using `$1`, `$2`, etc. for numbered groups or `${name}` for named groups.
+* `Case-Sensitive` (boolean, optional): When set to `true`, the regex matching is case-sensitive. When `false` (the default), matching is case-insensitive.
+
+## Common Use Cases
+
+The regexreplace preprocessor is commonly used for:
+
+* Sanitizing sensitive data 
+* Normalizing log formats across different sources
+* Stripping or replacing unwanted characters or patterns
+* Transforming data for easier downstream processing
+
+### Example: Redacting Numbers
+
+To redact all numbers from log entries (e.g., for removing phone numbers, IDs, or other sensitive numeric data):
+
+```
+Phone: 123-456-7890, Age: 25, ID: 987654321
+```
+
+Use the following configuration:
+
+```
+[Preprocessor "redact-numbers"]
+	Type=regexreplace
+	Regex=`\d+`
+	Replacement=`REDACTED`
+```
+
+The result is:
+
+```
+Phone: REDACTED-REDACTED-REDACTED, Age: REDACTED, ID: REDACTED
+```
+
+### Example: Case-Insensitive Replacement
+
+To replace all occurrences of a word regardless of case:
+
+```
+This is a TEST string with Test words
+```
+
+Use the following configuration:
+
+```
+[Preprocessor "normalize-test"]
+	Type=regexreplace
+	Regex=`test`
+	Replacement=`example`
+	Case-Sensitive=false
+```
+
+The result is:
+
+```
+This is a example string with example words
+```
+
+### Example: Modifying JSON Fields
+
+Given JSON log data where you want to modify a specific field:
+
+```
+{"name":"john","age":30,"city":"new york"}
+```
+
+Use named capture groups to extract and modify the value:
+
+```
+[Preprocessor "modify-json"]
+	Type=regexreplace
+	Regex=`"name":"(?P<n>[^"]*)"`
+	Replacement=`"name":"${n}_modified"`
+	Case-Sensitive=true
+```
+
+The result is:
+
+```
+{"name":"john_modified","age":30,"city":"new york"}
+```
+

quickstart/quickstart.md

@@ -55,7 +55,7 @@ This guide is suitable for Community Edition users as well as users with a paid
 
 You may find the [installation checklist](checklist) and the [glossary](/glossary/glossary) useful companions to this document.
 
-If you are interested in a complete training package, please see the [complete training PDF](https://github.com/gravwell/training/releases/download/v5.8.8/gravwell_training_v5.8.8.pdf). The Gravwell training PDF is the complete training manual which is paired with labs and exercises. The exercises are built from the open source [Gravwell Training](https://github.com/gravwell/training) repository.
+If you are interested in a complete training package, please see the [complete training PDF](https://github.com/gravwell/training/releases/download/v5.8.9/gravwell_training_v5.8.9.pdf). The Gravwell training PDF is the complete training manual which is paired with labs and exercises. The exercises are built from the open source [Gravwell Training](https://github.com/gravwell/training) repository.
 
 ```{note}
 Community Edition users will need to obtain their own license from [https://www.gravwell.io/download](https://www.gravwell.io/download) before beginning installation. Paid users should already have received a license file via email.

search/eval/eval.md

@@ -236,7 +236,7 @@ Maps have a limit of 1000000 keys. Any new key assigned to a map after this limi
 
 ### Arrays
 
-Eval supports the `array` enumerated value type. Arrays currently can only be created in the eval module and appear to other modules as string representations of the array contents (for example, `[ apple orange banana ]`).
+Eval supports the `array` enumerated value type. Arrays currently can only be created in the eval and regex modules and appear to other modules as string representations of the array contents (for example, `[ apple orange banana ]`).
 
 #### Declaring arrays
 
@@ -1051,6 +1051,27 @@ Sets a key/value pair in the given object. The value's type is evaluated at runt
 
 Returns a Gravwell array enumerated value based on the given JSON array. JSON types are evaluated at runtime and individual array items will be set to their equivalent Gravwell types, or a string if no mapping exists.
 
+(eval-evs-to-json)=
+#### evs_to_json
+
+    function evs_to_json() string
+
+Returns a JSON object containing all enumerated values attached to the current entry. Each EV name becomes a key in the JSON object, and the EV value is serialized to its corresponding JSON type (number, string, boolean, array, or object). Durations, MAC addresses, and timestamps are serialized as strings.
+
+Example
+
+```
+tag=gravwell syslog Appname Hostname Message
+| eval output = evs_to_json();
+| table output
+```
+
+This would produce output like:
+
+```
+{"Appname":"webserver","Hostname":"potato","Message":"connection established"}
+```
+
 
 (eval-math)=
 ### Math

search/maclookup/maclookup.md

@@ -10,7 +10,7 @@ Before using the maclookup module, you must have a database of MAC prefixes in a
 
 ## Supported Options
 
-* `-r <arg>`: The “-r” option specifies the resource name or UUID which contains a macdb database.  If no "-r" is specified, the geoip module uses the default "mac_prefixes" resource name.
+* `-r <arg>`: The “-r” option specifies the resource name or UUID which contains a macdb database.  If no "-r" is specified, the maclookup module uses the default "mac_prefixes" resource name.
 * `-s`: The “-s” option specifies that the maclookup module should operate in strict mode.  In strict mode, if any of the specified operators cannot resolve a MAC, the entry is dropped.
 
 ## Processing Operators

search/regex/regex.md

@@ -26,6 +26,7 @@ regex <argument list> <regular expression> [filter arguments]
 * `-r <arg>`: The “-r” option specifies that the regular expression statement is located in a resource file. 
 * `-v`: The "-v" option tells regex to operate in inverse mode, dropping any entries which match the regex and passing entries which do not match.
 * `-p`: The "-p" option tells regex to allow entries through if the regular expression does not match at all.  The permissive flag does not change the operation of filters.
+* `-a`: The "-a" option enables array mode, which extracts all matches of each capture group into array enumerated values instead of just the first match. This is useful when an entry contains multiple occurrences of a pattern.
 
 ```{note}
 Storing especially large regular expressions in resource files can clean up queries, and allows for easy reuse.  If `-r` is specified, do not specify a regular expression in the query -- instead the contents of the resource will be used. Handy!
@@ -70,6 +71,18 @@ tag=syslog grep sshd | regex `shd.*Accepted (?P<method>\S*) for (?P<user>\S*) fr
 | table method user ip
 ```
 
+### Array Mode Example
+
+The `-a` flag extracts all matches of each capture group into array enumerated values. This is useful when a single entry contains multiple occurrences of a pattern.
+
+For example, to extract all numbers from each entry into an array:
+
+```gravwell
+tag=default regex -a `(?P<num>\d+)` | table num
+```
+
+If an entry contains "foo 123 bar 456 baz 789", the `num` enumerated value will be an array containing `[123, 456, 789]`.
+
 ## Full regular expression syntax
 
 The following is copied from [the re2 documentation](https://github.com/google/re2/wiki/Syntax) (see [their license](https://raw.githubusercontent.com/google/re2/refs/heads/main/LICENSE))