[Filebeat] Add Pensando DFW Module #21063
Conversation
Update from original
|
Since this is a community submitted pull request, a Jenkins build has not been kicked off automatically. Can an Elastic organization member please verify the contents of this patch and then kick off a build manually? |
1 similar comment
|
Since this is a community submitted pull request, a Jenkins build has not been kicked off automatically. Can an Elastic organization member please verify the contents of this patch and then kick off a build manually? |
botelastic
bot
added
the
needs_team
💚 Build Succeeded
Expand to view the summary
Build stats
Test stats 🧪
Trends 🧪💚 Flaky test reportTests succeeded. Expand to view the summary
Test stats 🧪
|
|
Pinging @elastic/siem (Team:SIEM) |
botelastic
bot
removed
the
needs_team
|
jenkins run the tests please |
|
Hi! We're labeling this issue as |
|
This is still relevant (to us at least). 👍 |
|
This is still relevant and needs to be looked at. Thanks. |
|
Hi! We're labeling this issue as |
|
Yep - still relevant 👍
|
|
@punisherVX could you please update your branch with master? |
There was a problem hiding this comment.
It is looking good!
After the comments I left and finishing up the docs should be in pretty good shape.
Maybe could be interesting to map some of the fields under pensando to ECS (I was thinking about filling up some network.* fields based on pensando.dfw.direction and pensando.dfw.protocol).
LMK if you need anything from our side to move this forward.
Thanks for your patience and hope to get it merged soon 😄
Co-authored-by: Marc Guasch <marc-gr@users.noreply.github.com>
There was a problem hiding this comment.
I checked it out locally and some changes are required to fix the pipeline. Once done, you will need to run:
cd filebeat
TESTING_FILEBEAT_MODULES=pensando MODULES_PATH=module GENERATE=true mage -v pythonIntegTest
to regenerate the test golden files.
Please lmk if you need any help. Thanks!!
filebeat/module/pensando/_meta/kibana/7/dashboard/pensando-dfw-overview.json2
Outdated
Show resolved
Hide resolved
Co-authored-by: Marc Guasch <marc-gr@users.noreply.github.com>
Co-authored-by: Marc Guasch <marc-gr@users.noreply.github.com>
Co-authored-by: Marc Guasch <marc-gr@users.noreply.github.com>
Co-authored-by: Marc Guasch <marc-gr@users.noreply.github.com>
|
jenkins run tests |
1 similar comment
|
jenkins run tests |
There was a problem hiding this comment.
Sorry I missed that the first time!
Can you re-generate the golden files again after that change?
cd filebeat
TESTING_FILEBEAT_MODULES=pensando MODULES_PATH=module GENERATE=true mage -v pythonIntegTest
This time to double check all is good, run te tests without the GENERATE=true flag.
Thanks!!
Co-authored-by: Marc Guasch <marc-gr@users.noreply.github.com>
|
jenkins run tests |
|
Please @punisherVX commit the changes after running |
|
jenkins run tests |
|
Thanks @punisherVX for the hard work! |
Thanks for all the help @marc-gr!! Great learning experience on how this is all done as well. |
* Add Pensando module init * explicitly define the ECS version per testing * updates to docs from make update * updates for pensando module * updates to documentation and db screenshot * add dashboard export to repo * update to add pensando beat * Update filebeat/module/pensando/dfw/config/dfw.yml Co-authored-by: Marc Guasch <marc-gr@users.noreply.github.com> * Update pipeline.yml Condensed all "remove" fields to 1 list of fields. * Update pipeline.yml Do not remove the payload_raw field. * Update filebeat/module/pensando/_meta/docs.asciidoc Co-authored-by: Andrew Kroh <andrew.kroh@elastic.co> * Update config.yml Added syslog_host and syslog_port values as suggested. * Update docs.asciidoc Added documentation for syslog_host and syslog_port as suggested. * Update pipeline.yml Removing payload_raw - this and json are, essentially, the same field and no longer needed after parsing. * Update pipeline.yml Changed checks if values are != null to use the filebeat specific ignore_empty_value: true instead. * Remove set of event.module Remove the set param for event.module. Filebeat should add this automatically. * Apply suggestions from code review Co-authored-by: Andrew Kroh <andrew.kroh@elastic.co> * Update test.log * Use convert instead of set for some fields Changed ECS sets for IP addresses and ports to converts of type ip and integer respectively. * Updates for geoip and autonomous system * add pensando dfw fields * fixes from make -C filebeat update * fixes for filebeat check * make update changes * Update filebeat/module/pensando/dfw/config/dfw.yml Co-authored-by: Marc Guasch <marc-gr@users.noreply.github.com> * Update filebeat/module/pensando/dfw/ingest/pipeline.yml Co-authored-by: Marc Guasch <marc-gr@users.noreply.github.com> * Update filebeat/module/pensando/dfw/ingest/pipeline.yml Co-authored-by: Marc Guasch <marc-gr@users.noreply.github.com> * Update filebeat/module/pensando/dfw/ingest/pipeline.yml Co-authored-by: Marc Guasch <marc-gr@users.noreply.github.com> * Update filebeat/module/pensando/dfw/ingest/pipeline.yml Co-authored-by: Marc Guasch <marc-gr@users.noreply.github.com> * remove old json file * ran tests * Update filebeat/module/pensando/dfw/ingest/pipeline.yml Co-authored-by: Marc Guasch <marc-gr@users.noreply.github.com> * gen after run of 'mage -v pythonIntegTest' * Update fields.yml * mage fmt update request Co-authored-by: Marc Guasch <marc-gr@users.noreply.github.com> Co-authored-by: Andrew Kroh <andrew.kroh@elastic.co> (cherry picked from commit 4194408)
* Add Pensando module init * explicitly define the ECS version per testing * updates to docs from make update * updates for pensando module * updates to documentation and db screenshot * add dashboard export to repo * update to add pensando beat * Update filebeat/module/pensando/dfw/config/dfw.yml Co-authored-by: Marc Guasch <marc-gr@users.noreply.github.com> * Update pipeline.yml Condensed all "remove" fields to 1 list of fields. * Update pipeline.yml Do not remove the payload_raw field. * Update filebeat/module/pensando/_meta/docs.asciidoc Co-authored-by: Andrew Kroh <andrew.kroh@elastic.co> * Update config.yml Added syslog_host and syslog_port values as suggested. * Update docs.asciidoc Added documentation for syslog_host and syslog_port as suggested. * Update pipeline.yml Removing payload_raw - this and json are, essentially, the same field and no longer needed after parsing. * Update pipeline.yml Changed checks if values are != null to use the filebeat specific ignore_empty_value: true instead. * Remove set of event.module Remove the set param for event.module. Filebeat should add this automatically. * Apply suggestions from code review Co-authored-by: Andrew Kroh <andrew.kroh@elastic.co> * Update test.log * Use convert instead of set for some fields Changed ECS sets for IP addresses and ports to converts of type ip and integer respectively. * Updates for geoip and autonomous system * add pensando dfw fields * fixes from make -C filebeat update * fixes for filebeat check * make update changes * Update filebeat/module/pensando/dfw/config/dfw.yml Co-authored-by: Marc Guasch <marc-gr@users.noreply.github.com> * Update filebeat/module/pensando/dfw/ingest/pipeline.yml Co-authored-by: Marc Guasch <marc-gr@users.noreply.github.com> * Update filebeat/module/pensando/dfw/ingest/pipeline.yml Co-authored-by: Marc Guasch <marc-gr@users.noreply.github.com> * Update filebeat/module/pensando/dfw/ingest/pipeline.yml Co-authored-by: Marc Guasch <marc-gr@users.noreply.github.com> * Update filebeat/module/pensando/dfw/ingest/pipeline.yml Co-authored-by: Marc Guasch <marc-gr@users.noreply.github.com> * remove old json file * ran tests * Update filebeat/module/pensando/dfw/ingest/pipeline.yml Co-authored-by: Marc Guasch <marc-gr@users.noreply.github.com> * gen after run of 'mage -v pythonIntegTest' * Update fields.yml * mage fmt update request Co-authored-by: Marc Guasch <marc-gr@users.noreply.github.com> Co-authored-by: Andrew Kroh <andrew.kroh@elastic.co> (cherry picked from commit 4194408) Co-authored-by: Edward Arcuri <7133080+punisherVX@users.noreply.github.com>
…-arm * upstream/master: [Metricbeat][Kubernetes] Extend state_node with more conditions (elastic#23905) [CI] googleStorageUploadExt step (elastic#24048) Check fields are documented for aws metricsets (elastic#23887) Update go-concert to 0.1.0 (elastic#23770) [Libbeat][New Processor] XML Decode (elastic#23678) Fix: bad substitution of API key (elastic#24036) [Filebeat] Add Pensando DFW Module (elastic#21063) [Filebeat] Check if processor is supported by ES version (elastic#23763) Syslog system tests: be more forgiving (elastic#24021)
What does this PR do?
Utilized the instructions found here: https://www.elastic.co/guide/en/beats/devguide/current/filebeat-modules-devguide.html
This adds the Pensando distributed firewall (fileset) beat to the release.
Why is it important?
Many of our customers want an easy way to implement our FW logging in/on their Elastic instances.
Checklist
- [ ] I have commented my code, particularly in hard-to-understand areasCHANGELOG.next.asciidocorCHANGELOG-developer.next.asciidoc.Author's Checklist
How to test this PR locally
All tests were run using these guidelines to verify logs worked correctly: https://www.elastic.co/guide/en/beats/devguide/current/filebeat-modules-devguide.html#_test
Related issues
None
Use cases
Screenshots
Logs