Skip to content

Cherry-pick #20138 to 7.x: [Filebeat] Update crowdstrike module#20176

Merged
andrewstucki merged 2 commits intoelastic:7.xfrom
andrewstucki:backport_20138_7.x
Jul 23, 2020
Merged

Cherry-pick #20138 to 7.x: [Filebeat] Update crowdstrike module#20176
andrewstucki merged 2 commits intoelastic:7.xfrom
andrewstucki:backport_20138_7.x

Conversation

@andrewstucki
Copy link
Copy Markdown

@andrewstucki andrewstucki commented Jul 23, 2020
edited by zube bot
Loading

Cherry-pick of PR #20138 to 7.x branch. Original message:

What does this PR do?

I've been in the crowdstrike module recently anyway and noticed that there was an open issue reporting some parsing errors. I went ahead and just added some fixes for them.

One thing to note--due to normalizing all timestamps to UNIX_MS this is technically a breaking change. Do we want to be more conservative about the normalization?

Checklist

  • My code follows the style guidelines of this project
  • [ ] I have commented my code, particularly in hard-to-understand areas
  • [ ] I have made corresponding changes to the documentation
  • [ ] I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works
  • I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Related issues

[Filebeat] Update crowdstrike module (elastic#20138)
af470f8 
* Update crowdstrike module

(cherry picked from commit 5e9a3a5)
@elasticmachine
Copy link
Copy Markdown
Contributor

elasticmachine commented Jul 23, 2020

Pinging @elastic/siem (Team:SIEM)

@botelastic botelastic bot added needs_team Indicates that the issue/PR needs a Team:* label and removed needs_team Indicates that the issue/PR needs a Team:* label labels Jul 23, 2020
@elasticmachine
Copy link
Copy Markdown
Contributor

elasticmachine commented Jul 23, 2020
edited by jenkins-beats-ci bot
Loading

💔 Tests Failed

Pipeline View Test View Changes Artifacts preview

Expand to view the summary

Build stats

  • Build Cause: [Pull request #20176 updated]

  • Start Time: 2020-07-23T03:04:56.077+0000

  • Duration: 58 min 1 sec

Test stats 🧪

Test Results
Failed 19
Passed 4247
Skipped 685
Total 4951

Test errors

Expand to view the tests failures

  • Name: Build and Test / Filebeat x-pack / test_fileset_file_056_o365 – test_xpack_modules.XPackTest
    • Age: 1
    • Duration: 3.688
    • Error Details: The following expected object doesn't match:
      Diff:
      {'values_changed': {"root['user_agent.device.name']": {'new_value': 'Mac', 'old_value': 'Other'}}}, full object:
      {'log.offset': 0, 'source.geo.continent_name': 'Europe', 'source.geo.region_iso_code': 'ES-B', 'source.geo.city_name': 'Barcelona', 'source.geo.country_iso_code': 'ES', 'source.geo.region_name': 'Barcelona', 'source.geo.location.lon': 2.1611, 'source.geo.location.lat': 41.3891, 'source.as.number': 3352, 'source.as.organization.name': 'Telefonica De Espana', 'source.ip': '213.97.47.133', 'network.type': 'ipv4', 'o365.audit.Site': 'd5180cfc-3479-44d6-b410-8c985ac894e3', 'o365.audit.ObjectId': 'https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot 2020-01-27 at 11.30.48.png', 'o365.audit.SourceFileName': 'Screenshot 2020-01-27 at 11.30.48.png', 'o365.audit.ItemType': 'File', 'o365.audit.UserKey': 'i:0h.f|membership|1003200096971f55@live.com', 'o365.audit.SiteUrl': 'https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/', 'o365.audit.Operation': 'FileDeleted', 'o365.audit.OrganizationId': 'b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd', 'o365.audit.SourceFileExtension': 'png', 'o365.audit.ClientIP': '213.97.47.133', 'o365.audit.Workload': 'OneDrive', 'o365.audit.SourceRelativeUrl': 'Documents', 'o365.audit.EventSource': 'SharePoint', 'o365.audit.ListId': '2b6ad2bd-0fd7-4556-9c89-a97847085b85', 'o365.audit.RecordType': 6, 'o365.audit.Version': 1, 'o365.audit.WebId': '8c5c94bb-8396-470c-87d7-8999f440cd30', 'o365.audit.UserId': 'asr@testsiem.onmicrosoft.com', 'o365.audit.CreationTime': '2020-02-07T16:44:07', 'o365.audit.UserAgent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0', 'o365.audit.Id': 'ec04aa09-0a43-4879-cdc8-08d7abecf327', 'o365.audit.CorrelationId': '652b339f-908c-a000-f25f-91423da7dd9b', 'o365.audit.UserType': 0, 'o365.audit.ListItemUniqueId': '4803608a-df7d-4f63-aa73-67aa33bb576e', 'file.extension': 'png', 'file.name': 'Screenshot 2020-01-27 at 11.30.48.png', 'file.directory': 'Documents', 'related.ip': '213.97.47.133', 'related.user': 'asr', 'host.name': 'testsiem.onmicrosoft.com', 'host.id': 'b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd', 'client.address': '213.97.47.133', 'client.ip': '213.97.47.133', 'event.code': 'SharePointFileOperation', 'event.provider': 'OneDrive', 'event.kind': 'event', 'event.module': 'o365', 'event.action': 'FileDeleted', 'event.id': 'ec04aa09-0a43-4879-cdc8-08d7abecf327', 'event.category': 'file', 'event.type': 'deletion', 'event.dataset': 'o365.audit', 'event.outcome': 'success', 'user_agent.original': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0', 'user_agent.os.name': 'Mac OS X', 'user_agent.os.version': '10.14', 'user_agent.os.full': 'Mac OS X 10.14', 'user_agent.name': 'Firefox', 'user_agent.device.name': 'Mac', 'user_agent.version': '72.0.', 'fileset.name': 'audit', 'url.original': 'https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot 2020-01-27 at 11.30.48.png', 'tags': ['forwarded'], 'input.type': 'log', '@timestamp': '2020-02-07T16:44:07.000Z', 'service.type': 'o365', 'organization.id': 'b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd', 'user.domain': 'testsiem.onmicrosoft.com', 'user.name': 'asr', 'user.id': 'asr@testsiem.onmicrosoft.com'}
      -------------------- >> begin captured stdout << ---------------------
      Using elasticsearch: http://elasticsearch:9200
      Testing o365/audit on /go/src/github.com/elastic/beats/x-pack/filebeat/module/o365/audit/test/06-sharepointfileop.log

--------------------- >> end captured stdout << ----------------------

  • Name: Build and Test / Filebeat x-pack / test_fileset_file_060_o365 – test_xpack_modules.XPackTest
    • Age: 1
    • Duration: 3.366
    • Error Details: The following expected object doesn't match:
      Diff:
      {'values_changed': {"root['user_agent.device.name']": {'new_value': 'Mac', 'old_value': 'Other'}}}, full object:
      {'log.offset': 0, 'source.geo.continent_name': 'Europe', 'source.geo.region_iso_code': 'ES-B', 'source.geo.city_name': 'Barcelona', 'source.geo.country_iso_code': 'ES', 'source.geo.region_name': 'Barcelona', 'source.geo.location.lon': 2.1611, 'source.geo.location.lat': 41.3891, 'source.as.number': 3352, 'source.as.organization.name': 'Telefonica De Espana', 'source.ip': '213.97.47.133', 'fileset.name': 'audit', 'network.type': 'ipv4', 'tags': ['forwarded'], 'o365.audit.Site': 'd5180cfc-3479-44d6-b410-8c985ac894e3', 'o365.audit.ObjectId': 'https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/_layouts/15/onedrive.aspx', 'o365.audit.ItemType': 'Page', 'o365.audit.UserKey': 'i:0h.f|membership|1003200096971f55@live.com', 'o365.audit.OrganizationId': 'b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd', 'o365.audit.Operation': 'PageViewed', 'o365.audit.ClientIP': '213.97.47.133', 'o365.audit.Workload': 'OneDrive', 'o365.audit.EventSource': 'SharePoint', 'o365.audit.RecordType': 4, 'o365.audit.Version': 1, 'o365.audit.WebId': '8c5c94bb-8396-470c-87d7-8999f440cd30', 'o365.audit.UserId': 'asr@testsiem.onmicrosoft.com', 'o365.audit.CreationTime': '2020-02-07T16:43:53', 'o365.audit.UserAgent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0', 'o365.audit.CustomUniqueId': True, 'o365.audit.Id': '99d005e6-a4c6-46fd-117c-08d7abeceab5', 'o365.audit.CorrelationId': '622b339f-4000-a000-f25f-92b3478c7a25', 'o365.audit.ListItemUniqueId': '59a8433d-9bb8-cfef-6edc-4c0fc8b86875', 'o365.audit.UserType': 0, 'input.type': 'log', '@timestamp': '2020-02-07T16:43:53.000Z', 'related.ip': '213.97.47.133', 'related.user': 'asr', 'service.type': 'o365', 'organization.id': 'b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd', 'host.name': 'testsiem.onmicrosoft.com', 'host.id': 'b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd', 'client.address': '213.97.47.133', 'client.ip': '213.97.47.133', 'event.code': 'SharePoint', 'event.provider': 'OneDrive', 'event.kind': 'event', 'event.module': 'o365', 'event.action': 'PageViewed', 'event.id': '99d005e6-a4c6-46fd-117c-08d7abeceab5', 'event.category': 'web', 'event.type': 'info', 'event.dataset': 'o365.audit', 'event.outcome': 'success', 'user.domain': 'testsiem.onmicrosoft.com', 'user.name': 'asr', 'user.id': 'asr@testsiem.onmicrosoft.com', 'user_agent.original': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0', 'user_agent.os.name': 'Mac OS X', 'user_agent.os.version': '10.14', 'user_agent.os.full': 'Mac OS X 10.14', 'user_agent.name': 'Firefox', 'user_agent.device.name': 'Mac', 'user_agent.version': '72.0.'}
      -------------------- >> begin captured stdout << ---------------------
      Using elasticsearch: http://elasticsearch:9200
      Testing o365/audit on /go/src/github.com/elastic/beats/x-pack/filebeat/module/o365/audit/test/04-sharepoint.log

--------------------- >> end captured stdout << ----------------------

  • Name: Build and Test / Filebeat x-pack / test_fileset_file_061_o365 – test_xpack_modules.XPackTest
    • Age: 1
    • Duration: 3.614
    • Error Details: The following expected object doesn't match:
      Diff:
      {'values_changed': {"root['user_agent.device.name']": {'new_value': 'Mac', 'old_value': 'Other'}}}, full object:
      {'log.offset': 3965, 'source.geo.continent_name': 'Europe', 'source.geo.region_iso_code': 'ES-B', 'source.geo.city_name': 'Barcelona', 'source.geo.country_iso_code': 'ES', 'source.geo.region_name': 'Barcelona', 'source.geo.location.lon': 2.1611, 'source.geo.location.lat': 41.3891, 'source.as.number': 3352, 'source.as.organization.name': 'Telefonica De Espana', 'source.ip': '79.159.10.151', 'fileset.name': 'audit', 'tags': ['forwarded'], 'network.type': 'ipv4', 'o365.audit.Site': 'd5180cfc-3479-44d6-b410-8c985ac894e3', 'o365.audit.ObjectId': 'https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com//personal/asr_testsiem_onmicrosoft_com/Sharing Links', 'o365.audit.UserKey': 'i:0h.f|membership|1003200096971f55@live.com', 'o365.audit.ItemType': 'List', 'o365.audit.Operation': 'SharingInheritanceBroken', 'o365.audit.SiteUrl': 'https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com', 'o365.audit.OrganizationId': 'b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd', 'o365.audit.ClientIP': '79.159.10.151', 'o365.audit.EventData': 'FalseFalse', 'o365.audit.Workload': 'OneDrive', 'o365.audit.SourceRelativeUrl': 'Sharing Links', 'o365.audit.EventSource': 'SharePoint', 'o365.audit.ListId': 'b108938d-3546-4359-925d-a1b54b4db8c2', 'o365.audit.RecordType': 14, 'o365.audit.Version': 1, 'o365.audit.UserId': 'asr@testsiem.onmicrosoft.com', 'o365.audit.WebId': '8c5c94bb-8396-470c-87d7-8999f440cd30', 'o365.audit.CreationTime': '2020-02-14T18:25:45', 'o365.audit.UserAgent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:73.0) Gecko/20100101 Firefox/73.0', 'o365.audit.CorrelationId': 'fe71359f-005f-9000-7cb1-ccf5124703db', 'o365.audit.Id': 'dd162cd7-5df5-4fef-078a-08d7b17b4e95', 'o365.audit.UserType': 0, 'input.type': 'log', '@timestamp': '2020-02-14T18:25:45.000Z', 'related.ip': '79.159.10.151', 'related.user': 'asr', 'service.type': 'o365', 'organization.id': 'b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd', 'host.name': 'testsiem.onmicrosoft.com', 'host.id': 'b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd', 'client.address': '79.159.10.151', 'client.ip': '79.159.10.151', 'event.code': 'SharePointSharingOperation', 'event.provider': 'OneDrive', 'event.kind': 'event', 'event.module': 'o365', 'event.action': 'SharingInheritanceBroken', 'event.id': 'dd162cd7-5df5-4fef-078a-08d7b17b4e95', 'event.type': 'info', 'event.category': 'web', 'event.dataset': 'o365.audit', 'event.outcome': 'success', 'user.domain': 'testsiem.onmicrosoft.com', 'user.name': 'asr', 'user.id': 'asr@testsiem.onmicrosoft.com', 'user_agent.original': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:73.0) Gecko/20100101 Firefox/73.0', 'user_agent.os.name': 'Mac OS X', 'user_agent.os.version': '10.14', 'user_agent.os.full': 'Mac OS X 10.14', 'user_agent.name': 'Firefox', 'user_agent.device.name': 'Mac', 'user_agent.version': '73.0.'}
      -------------------- >> begin captured stdout << ---------------------
      Using elasticsearch: http://elasticsearch:9200
      Testing o365/audit on /go/src/github.com/elastic/beats/x-pack/filebeat/module/o365/audit/test/14-sp-sharing-op.log

--------------------- >> end captured stdout << ----------------------

  • Name: Build and Test / Filebeat x-pack / test_fileset_file_062_o365 – test_xpack_modules.XPackTest
    • Age: 1
    • Duration: 8.264
    • Error Details: The following expected object doesn't match:
      Diff:
      {'values_changed': {"root['user_agent.device.name']": {'new_value': 'Mac', 'old_value': 'Other'}}}, full object:
      {'log.offset': 0, 'source.geo.continent_name': 'Europe', 'source.geo.region_iso_code': 'ES-B', 'source.geo.city_name': 'Barcelona', 'source.geo.country_iso_code': 'ES', 'source.geo.region_name': 'Barcelona', 'source.geo.location.lon': 2.1611, 'source.geo.location.lat': 41.3891, 'source.as.number': 3352, 'source.as.organization.name': 'Telefonica De Espana', 'source.ip': '83.57.233.151', 'fileset.name': 'audit', 'network.type': 'ipv4', 'tags': ['forwarded'], 'o365.audit.AzureActiveDirectoryEventType': 1, 'o365.audit.UserKey': '1003200096971F55@testsiem.onmicrosoft.com', 'o365.audit.ActorIpAddress': '83.57.233.151', 'o365.audit.Operation': 'UserLoggedIn', 'o365.audit.OrganizationId': 'b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd', 'o365.audit.ExtendedProperties.ResultStatusDetail': 'Success', 'o365.audit.ExtendedProperties.UserAgent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0', 'o365.audit.ExtendedProperties.KeepMeSignedIn': 'False', 'o365.audit.ExtendedProperties.UserAuthenticationMethod': '9', 'o365.audit.ExtendedProperties.RequestType': 'OAuth2:Authorize', 'o365.audit.IntraSystemId': 'c4206c29-46c2-4a6f-a46b-735107705400', 'o365.audit.Target': [{'Type': 0, 'ID': '00000002-0000-0000-c000-000000000000'}], 'o365.audit.RecordType': 15, 'o365.audit.Version': 1, 'o365.audit.SupportTicketId': '', 'o365.audit.Actor': [{'Type': 0, 'ID': '755e500a-6c03-46b0-b53b-282f23374e3b'}, {'Type': 5, 'ID': 'asr@testsiem.onmicrosoft.com'}, {'Type': 3, 'ID': '1003200096971F55'}], 'o365.audit.ActorContextId': 'b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd', 'o365.audit.ObjectId': '00000002-0000-0000-c000-000000000000', 'o365.audit.ResultStatus': 'Succeeded', 'o365.audit.ClientIP': '83.57.233.151', 'o365.audit.Workload': 'AzureActiveDirectory', 'o365.audit.UserId': 'asr@testsiem.onmicrosoft.com', 'o365.audit.TargetContextId': 'b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd', 'o365.audit.CreationTime': '2020-02-10T15:13:13', 'o365.audit.Id': 'ca0efc24-1b89-4962-8fef-a3ac5437302f', 'o365.audit.InterSystemsId': '03616b3a-fc75-46a1-b34a-2d82fc8f1e7e', 'o365.audit.ApplicationId': '4345a7b9-9a63-4910-a426-35363201d503', 'o365.audit.UserType': 0, 'input.type': 'log', '@timestamp': '2020-02-10T15:13:13.000Z', 'related.ip': '83.57.233.151', 'related.user': 'asr', 'service.type': 'o365', 'organization.id': 'b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd', 'host.name': 'testsiem.onmicrosoft.com', 'host.id': 'b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd', 'client.address': '83.57.233.151', 'client.ip': '83.57.233.151', 'event.code': 'AzureActiveDirectoryStsLogon', 'event.provider': 'AzureActiveDirectory', 'event.kind': 'event', 'event.module': 'o365', 'event.action': 'UserLoggedIn', 'event.id': 'ca0efc24-1b89-4962-8fef-a3ac5437302f', 'event.type': ['start', 'authentication_success'], 'event.category': 'authentication', 'event.dataset': 'o365.audit', 'event.outcome': 'success', 'user.domain': 'testsiem.onmicrosoft.com', 'user.name': 'asr', 'user.id': 'asr@testsiem.onmicrosoft.com', 'user_agent.original': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0', 'user_agent.os.name': 'Mac OS X', 'user_agent.os.version': '10.14', 'user_agent.os.full': 'Mac OS X 10.14', 'user_agent.name': 'Firefox', 'user_agent.device.name': 'Mac', 'user_agent.version': '72.0.'}
      -------------------- >> begin captured stdout << ---------------------
      Using elasticsearch: http://elasticsearch:9200
      Testing o365/audit on /go/src/github.com/elastic/beats/x-pack/filebeat/module/o365/audit/test/15-azuread-sts-logon.log

--------------------- >> end captured stdout << ----------------------

  • Name: Build and Test / Filebeat x-pack / test_fileset_file_095_cylance – test_xpack_modules.XPackTest
    • Age: 1
    • Duration: 9.209
    • Error Details: The following expected object doesn't match:
      Diff:
      {'values_changed': {"root['rsa.time.event_time']": {'new_value': '2020-07-24T10:58:48.000Z', 'old_value': '2019-07-24T10:58:48.000Z'}, "root['@timestamp']": {'new_value': '2020-07-24T10:58:48.000Z', 'old_value': '2019-07-24T10:58:48.000Z'}}}, full object:
      {'rsa.internal.messageid': 'CylancePROTECT', 'rsa.identity.firstname': 'rinc', 'rsa.identity.lastname': 'tno', 'rsa.investigations.event_cat': 1609000000, 'rsa.investigations.event_cat_name': 'System.Alerts', 'rsa.time.event_time': '2020-07-24T10:58:48.000Z', 'rsa.db.index': 'rExce', 'rsa.misc.device_name': 'ncididu', 'rsa.misc.event_type': 'Alert', 'rsa.misc.mail_id': 'meumf', 'rsa.network.alias_host': ['squ2213.www.test'], 'log.offset': 24048, 'fileset.name': 'protect', 'tags': ['cylance.protect', 'forwarded'], 'observer.product': 'Protect', 'observer.vendor': 'Cylance', 'observer.type': 'Anti-Virus', 'input.type': 'log', '@timestamp': '2020-07-24T10:58:48.000Z', 'service.type': 'cylance', 'host.name': 'squ2213.www.test', 'event.original': '24-Jul-2019 8:58:48 very-high uiacon6640.api.localhost suntexpl <sBonoru 24T08:58:48.everi squ2213.www.test CylancePROTECT Event Name:Alert, Device Message: Device: ncididu; Zones Removed: itati; Zones Added: nostrude, User: rinc tno (meumf), Zone Names:rExce Device Id: quisquam', 'event.code': 'CylancePROTECT', 'event.module': 'cylance', 'event.action': 'Alert', 'event.dataset': 'cylance.protect'}
      -------------------- >> begin captured stdout << ---------------------
      Using elasticsearch: http://elasticsearch:9200
      Testing cylance/protect on /go/src/github.com/elastic/beats/x-pack/filebeat/module/cylance/protect/test/generated.log

--------------------- >> end captured stdout << ----------------------

  • Name: Build and Test / Filebeat x-pack / test_fileset_file_106_okta – test_xpack_modules.XPackTest
    • Age: 1
    • Duration: 3.416
    • Error Details: The following expected object doesn't match:
      Diff:
      {'values_changed': {"root['user_agent.device.name']": {'new_value': 'Mac', 'old_value': 'Other'}}}, full object:
      {'log.offset': 0, 'source.geo.continent_name': 'North America', 'source.geo.region_iso_code': 'US-CA', 'source.geo.city_name': 'Dublin', 'source.geo.country_iso_code': 'US', 'source.geo.region_name': 'California', 'source.geo.location.lon': -121.919, 'source.geo.location.lat': 37.7201, 'source.as.number': 7018, 'source.as.organization.name': 'AT&T Services, Inc.', 'source.ip': '108.255.197.247', 'source.user.full_name': 'xxxxxx', 'source.user.id': '00u1abvz4pYqdM8ms4x6', 'fileset.name': 'system', 'tags': ['forwarded'], 'input.type': 'log', '@timestamp': '2020-02-14T22:18:51.843Z', 'related.ip': '108.255.197.247', 'related.user': 'xxxxxx', 'service.type': 'okta', 'client.geo.city_name': 'Dublin', 'client.geo.country_name': 'United States', 'client.geo.location.lon': -121.919, 'client.geo.location.lat': 37.7201, 'client.geo.region_name': 'California', 'client.ip': '108.255.197.247', 'client.user.full_name': 'xxxxxx', 'client.user.id': '00u1abvz4pYqdM8ms4x6', 'event.original': '{"actor":{"alternateId":"xxxxxx@elastic.co","detailEntry":null,"displayName":"xxxxxx","id":"00u1abvz4pYqdM8ms4x6","type":"User"},"authenticationContext":{"authenticationProvider":null,"authenticationStep":0,"credentialProvider":null,"credentialType":null,"externalSessionId":"102nZHzd6OHSfGG51vsoc22gw","interface":null,"issuer":null},"client":{"device":"Computer","geographicalContext":{"city":"Dublin","country":"United States","geolocation":{"lat":37.7201,"lon":-121.919},"postalCode":"94568","state":"California"},"id":null,"ipAddress":"108.255.197.247","userAgent":{"browser":"FIREFOX","os":"Mac OS X","rawUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0"},"zone":"null"},"debugContext":{"debugData":{"authnRequestId":"XkcAsWb8WjwDP76xh@1v8wAABp0","requestId":"XkccyyMli2Uay2I93ZgRzQAAB0c","requestUri":"/login/signout","threatSuspected":"false","url":"/login/signout?message=login_page_messages.session_has_expired"}},"displayMessage":"User logout from Okta","eventType":"user.session.end","legacyEventType":"core.user_auth.logout_success","outcome":{"reason":null,"result":"SUCCESS"},"published":"2020-02-14T22:18:51.843Z","request":{"ipChain":[{"geographicalContext":{"city":"Dublin","country":"United States","geolocation":{"lat":37.7201,"lon":-121.919},"postalCode":"94568","state":"California"},"ip":"108.255.197.247","source":null,"version":"V4"}]},"securityContext":{"asNumber":null,"asOrg":null,"domain":null,"isProxy":null,"isp":null},"severity":"INFO","target":null,"transaction":{"detail":{},"id":"XkccyyMli2Uay2I93ZgRzQAAB0c","type":"WEB"},"uuid":"faf7398a-4f77-11ea-97fb-5925e98228bd","version":"0"}', 'event.kind': 'event', 'event.module': 'okta', 'event.action': 'user.session.end', 'event.id': 'faf7398a-4f77-11ea-97fb-5925e98228bd', 'event.type': ['access'], 'event.category': ['authentication'], 'event.dataset': 'okta.system', 'event.outcome': 'success', 'okta.actor.id': '00u1abvz4pYqdM8ms4x6', 'okta.actor.type': 'User', 'okta.actor.display_name': 'xxxxxx', 'okta.actor.alternate_id': 'xxxxxx@elastic.co', 'okta.debug_context.debug_data.threat_suspected': 'false', 'okta.debug_context.debug_data.request_id': 'XkccyyMli2Uay2I93ZgRzQAAB0c', 'okta.debug_context.debug_data.request_uri': '/login/signout', 'okta.debug_context.debug_data.url': '/login/signout?message=login_page_messages.session_has_expired', 'okta.event_type': 'user.session.end', 'okta.authentication_context.authentication_step': 0, 'okta.authentication_context.external_session_id': '102nZHzd6OHSfGG51vsoc22gw', 'okta.client.zone': 'null', 'okta.client.ip': '108.255.197.247', 'okta.client.device': 'Computer', 'okta.client.user_agent.raw_user_agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0', 'okta.client.user_agent.os': 'Mac OS X', 'okta.client.user_agent.browser': 'FIREFOX', 'okta.display_message': 'User logout from Okta', 'okta.uuid': 'faf7398a-4f77-11ea-97fb-5925e98228bd', 'okta.outcome.result': 'SUCCESS', 'okta.transaction.id': 'XkccyyMli2Uay2I93ZgRzQAAB0c', 'okta.transaction.type': 'WEB', 'user_agent.original': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0', 'user_agent.os.name': 'Mac OS X', 'user_agent.os.version': '10.15', 'user_agent.os.full': 'Mac OS X 10.15', 'user_agent.name': 'Firefox', 'user_agent.device.name': 'Mac', 'user_agent.version': '72.0.'}
      -------------------- >> begin captured stdout << ---------------------
      Using elasticsearch: http://elasticsearch:9200
      Testing okta/system on /go/src/github.com/elastic/beats/x-pack/filebeat/module/okta/system/test/okta-system-test.json.log

--------------------- >> end captured stdout << ----------------------

  • Name: Build and Test / Filebeat x-pack / test_fileset_file_167_zscaler – test_xpack_modules.XPackTest
    • Age: 1
    • Duration: 9.117
    • Error Details: The following expected object doesn't match:
      Diff:
      {'values_changed': {"root['user_agent.device.name']": {'new_value': 'U307AS', 'old_value': 'Generic Smartphone'}}}, full object:
      {'rsa.internal.data': 'amco', 'rsa.internal.messageid': 'ZSCALERNSS_1', 'rsa.web.fqdn': 'orsitame3262.domain', 'rsa.identity.user_dept': 'onev', 'rsa.investigations.ec_subject': 'User', 'rsa.investigations.ec_activity': 'Deny', 'rsa.investigations.ec_theme': 'Communication', 'rsa.investigations.event_vcat': 'uptassi', 'rsa.time.timezone': 'CT', 'rsa.time.event_time': '2016-02-26T10:15:08.000Z', 'rsa.threat.threat_category': 'tur', 'rsa.db.index': 'nsequat', 'rsa.misc.result': 'success', 'rsa.misc.filter': 'tconsec', 'rsa.misc.reference_id': 'laboreet', 'rsa.misc.action': ['giatq', 'Blocked'], 'rsa.misc.result_code': 'tia', 'rsa.misc.category': 'llu', 'rsa.network.alias_host': ['orsitame3262.domain'], 'log.offset': 1742, 'destination.bytes': 1837, 'destination.ip': ['10.204.86.149'], 'source.bytes': 2935, 'source.ip': ['10.254.146.57'], 'network.protocol': 'igmp', 'network.bytes': 6905, 'observer.product': 'Internet', 'observer.vendor': 'Zscaler', 'observer.type': 'Configuration', 'file.type': 'oluptas', 'related.ip': ['10.254.146.57', '10.204.86.149'], 'related.user': ['tenima'], 'host.name': 'orsitame3262.domain', 'event.original': 'amco ZSCALERNSS: time=exe Feb 26 8:15:08 2016^^timezone=CT^^action=Blocked^^reason=success^^hostname=orsitame3262.domain^^protocol=igmp^^serverip=10.204.86.149^^url=https://example.com/taspe/mvolu.gif?atcup=snos#iquaUte^^urlcategory=tconsec^^urlclass=nsequat^^dlpdictionaries=taev^^dlpengine=roidents^^filetype=oluptas^^threatcategory=llu^^threatclass=uptassi^^pagerisk=tamremap^^threatname=tur^^clientpublicIP=aperi^^ClientIP=10.254.146.57^^location=estqui^^refererURL=https://www5.example.net/emaper/ssitasp.html?enimad=rmagni#sit^^useragent=Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=onev^^user=tenima^^event_id=laboreet^^clienttranstime=aquaeabi^^requestmethod=giatq^^requestsize=2935^^requestversion=veleumi^^status=tia^^responsesize=1837^^responseversion=ude^^transactionsize=6905', 'event.code': 'laboreet', 'event.timezone': 'CT', 'event.module': 'zscaler', 'event.action': 'Blocked', 'event.dataset': 'zscaler.zia', 'user_agent.original': 'Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36', 'user_agent.os.name': 'Android', 'user_agent.os.version': '9', 'user_agent.os.full': 'Android 9', 'user_agent.name': 'Chrome Mobile', 'user_agent.device.name': 'U307AS', 'user_agent.version': '83.0.4103.83', 'fileset.name': 'zia', 'url.original': 'https://example.com/taspe/mvolu.gif?atcup=snos#iquaUte', 'tags': ['zscaler.zia', 'forwarded'], 'input.type': 'log', '@timestamp': '2016-02-26T10:15:08.000Z', 'service.type': 'zscaler', 'http.request.referrer': 'https://www5.example.net/emaper/ssitasp.html?enimad=rmagni#sit', 'user.name': 'tenima'}
      -------------------- >> begin captured stdout << ---------------------
      Using elasticsearch: http://elasticsearch:9200
      Testing zscaler/zia on /go/src/github.com/elastic/beats/x-pack/filebeat/module/zscaler/zia/test/generated.log

--------------------- >> end captured stdout << ----------------------

  • Name: Build and Test / Filebeat x-pack / test_fileset_file_180_suricata – test_xpack_modules.XPackTest
    • Age: 1
    • Duration: 3.56
    • Error Details: The following expected object doesn't match:
      Diff:
      {'values_changed': {"root['user_agent.device.name']": {'new_value': 'Mac', 'old_value': 'Other'}}}, full object:
      {'log.offset': 985, 'destination.address': '192.168.86.28', 'destination.port': 63963, 'destination.ip': '192.168.86.28', 'destination.domain': '192.168.86.28', 'source.address': '192.168.86.85', 'source.port': 56119, 'source.ip': '192.168.86.85', 'fileset.name': 'eve', 'url.path': '/dd.xml', 'url.original': '/dd.xml', 'url.domain': '192.168.86.28', 'tags': ['suricata'], 'network.community_id': '1:gjMiDGtS5SVvdwzjjQdAKGBrDA4=', 'network.protocol': 'http', 'network.transport': 'tcp', 'input.type': 'log', '@timestamp': '2018-07-05T19:43:47.690Z', 'related.ip': ['192.168.86.85', '192.168.86.28'], 'service.type': 'suricata', 'http.request.method': 'GET', 'http.response.status_code': 200, 'http.response.body.bytes': 1155, 'suricata.eve.in_iface': 'en0', 'suricata.eve.event_type': 'http', 'suricata.eve.flow_id': 2115002772430095, 'suricata.eve.http.protocol': 'HTTP/1.1', 'suricata.eve.http.http_content_type': 'text/xml', 'suricata.eve.tx_id': 0, 'event.original': '{"timestamp":"2018-07-05T15:43:47.690014-0400","flow_id":2115002772430095,"in_iface":"en0","event_type":"http","src_ip":"192.168.86.85","src_port":56119,"dest_ip":"192.168.86.28","dest_port":63963,"proto":"TCP","tx_id":0,"http":{"hostname":"192.168.86.28","url":"\/dd.xml","http_user_agent":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/67.0.3396.99 Safari\/537.36","http_content_type":"text\/xml","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1155}}', 'event.kind': 'event', 'event.module': 'suricata', 'event.category': ['network', 'web'], 'event.type': ['access', 'protocol'], 'event.dataset': 'suricata.eve', 'event.outcome': 'success', 'user_agent.original': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36', 'user_agent.os.name': 'Mac OS X', 'user_agent.os.version': '10.13.5', 'user_agent.os.full': 'Mac OS X 10.13.5', 'user_agent.name': 'Chrome', 'user_agent.device.name': 'Mac', 'user_agent.version': '67.0.3396.99'}
      -------------------- >> begin captured stdout << ---------------------
      Using elasticsearch: http://elasticsearch:9200
      Testing suricata/eve on /go/src/github.com/elastic/beats/x-pack/filebeat/module/suricata/eve/test/eve-small.log

--------------------- >> end captured stdout << ----------------------

  • Name: Build and Test / Filebeat x-pack / test_fileset_file_189_googlecloud – test_xpack_modules.XPackTest
    • Age: 1
    • Duration: 3.836
    • Error Details: The following expected object doesn't match:
      Diff:
      {'values_changed': {"root['user_agent.device.name']": {'new_value': 'Mac', 'old_value': 'Other'}}}, full object:
      {'log.offset': 945, 'log.logger': 'projects/elastic-beats/logs/cloudaudit.googleapis.com%2Fdata_access', 'source.ip': '192.168.1.1', 'fileset.name': 'audit', 'tags': ['forwarded'], 'cloud.project.id': 'elastic-beats', 'input.type': 'log', '@timestamp': '2019-12-19T00:45:51.228Z', 'service.name': 'compute.googleapis.com', 'service.type': 'googlecloud', 'event.kind': 'event', 'event.module': 'googlecloud', 'event.action': 'beta.compute.machineTypes.aggregatedList', 'event.id': '-h6onuze1h7dg', 'event.dataset': 'googlecloud.audit', 'event.outcome': 'failure', 'googlecloud.audit.request.proto_name': 'type.googleapis.com/compute.machineTypes.aggregatedList', 'googlecloud.audit.authentication_info.principal_email': 'xxx@xxx.xxx', 'googlecloud.audit.method_name': 'beta.compute.machineTypes.aggregatedList', 'googlecloud.audit.request_metadata.caller_ip': '192.168.1.1', 'googlecloud.audit.request_metadata.caller_supplied_user_agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:71.0) Gecko/20100101 Firefox/71.0,gzip(gfe),gzip(gfe)', 'googlecloud.audit.service_name': 'compute.googleapis.com', 'googlecloud.audit.num_response_items': 71, 'googlecloud.audit.authorization_info': [{'permission': 'compute.machineTypes.list', 'resource_attributes': {'service': 'resourcemanager', 'name': 'projects/elastic-beats', 'type': 'resourcemanager.projects'}, 'granted': False}], 'googlecloud.audit.resource_name': 'projects/elastic-beats/global/machineTypes', 'googlecloud.audit.type': 'type.googleapis.com/google.cloud.audit.AuditLog', 'googlecloud.audit.resource_location.current_locations': ['global'], 'user.email': 'xxx@xxx.xxx', 'user_agent.original': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:71.0) Gecko/20100101 Firefox/71.0,gzip(gfe),gzip(gfe)', 'user_agent.os.name': 'Mac OS X', 'user_agent.os.version': '10.15', 'user_agent.os.full': 'Mac OS X 10.15', 'user_agent.name': 'Firefox', 'user_agent.device.name': 'Mac', 'user_agent.version': '71.0.'}
      -------------------- >> begin captured stdout << ---------------------
      Using elasticsearch: http://elasticsearch:9200
      Testing googlecloud/audit on /go/src/github.com/elastic/beats/x-pack/filebeat/module/googlecloud/audit/test/audit-log-entries.json.log

--------------------- >> end captured stdout << ----------------------

  • Name: Build and Test / Filebeat x-pack / test_fileset_file_208_tomcat – test_xpack_modules.XPackTest
    • Age: 1
    • Duration: 8.978
    • Error Details: The following expected object doesn't match:
      Diff:
      {'values_changed': {"root['user_agent.device.name']": {'new_value': 'G8142', 'old_value': 'Generic Smartphone'}}}, full object:
      {'rsa.internal.level': 1516, 'rsa.internal.messageid': 'asdf', 'rsa.web.web_ref_domain': 'mail.example.net', 'rsa.web.alias_host': 'https://example.com/illumqui/ventore.html?min=ite#utl', 'rsa.web.fqdn': 'https://example.com/illumqui/ventore.html?min=ite#utl', 'rsa.web.web_cookie': 'aliqu', 'rsa.time.timezone': 'OMST', 'rsa.time.event_time': '2016-01-29T08:09:59.000Z', 'rsa.misc.action': ['exercita'], 'rsa.misc.result_code': 'ntsunti', 'rsa.network.network_service': 'oremi', 'log.offset': 0, 'source.bytes': 5293, 'source.ip': ['10.251.224.219'], 'fileset.name': 'log', 'url.domain': 'example.com', 'url.query': 'amremap', 'tags': ['tomcat.log', 'forwarded'], 'observer.product': 'TomCat', 'observer.vendor': 'Apache', 'observer.type': 'Web', 'input.type': 'log', '@timestamp': '2016-01-29T08:09:59.000Z', 'file.name': 'vol', 'related.ip': ['10.251.224.219'], 'related.user': ['rci'], 'service.type': 'tomcat', 'http.request.referrer': 'https://mail.example.net/turadipi/aeca.htm?ntium=psaq#cer', 'event.original': '%APACHETOMCAT-1516-asdf: 10.251.224.219||eacommod||rci||[29/Jan/2016:6:09:59 OMST]||exercita||https://example.com/illumqui/ventore.html?min=ite#utl||vol||amremap||oremi||ntsunti||5293||https://mail.example.net/turadipi/aeca.htm?ntium=psaq#cer||Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||aliqu', 'event.code': 'asdf', 'event.timezone': 'OMST', 'event.module': 'tomcat', 'event.dataset': 'tomcat.log', 'user.name': 'rci', 'user_agent.original': 'Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36', 'user_agent.os.name': 'Android', 'user_agent.os.version': '9', 'user_agent.os.full': 'Android 9', 'user_agent.name': 'Chrome Mobile', 'user_agent.device.name': 'G8142', 'user_agent.version': '83.0.4103.83'}
      -------------------- >> begin captured stdout << ---------------------
      Using elasticsearch: http://elasticsearch:9200
      Testing tomcat/log on /go/src/github.com/elastic/beats/x-pack/filebeat/module/tomcat/log/test/generated.log

--------------------- >> end captured stdout << ----------------------

  • Name: Build and Test / Filebeat oss / test_fileset_file_019_apache – test_modules.Test
    • Age: 1
    • Duration: 2.444
    • Error Details: The following expected object doesn't match:
      Diff:
      {'values_changed': {"root['user_agent.device.name']": {'new_value': 'Mac', 'old_value': 'Other'}}}, full object:
      {'log.offset': 73, 'source.address': '192.168.33.1', 'source.ip': '192.168.33.1', 'fileset.name': 'access', 'url.original': '/hello', 'input.type': 'log', '@timestamp': '2016-12-26T16:22:13.000Z', 'service.type': 'apache', 'http.request.referrer': '-', 'http.request.method': 'GET', 'http.response.status_code': 404, 'http.response.body.bytes': 499, 'http.version': '1.1', 'event.kind': 'event', 'event.module': 'apache', 'event.category': 'web', 'event.dataset': 'apache.access', 'event.outcome': 'failure', 'user.name': '-', 'user_agent.original': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:50.0) Gecko/20100101 Firefox/50.0', 'user_agent.os.name': 'Mac OS X', 'user_agent.os.version': '10.12', 'user_agent.os.full': 'Mac OS X 10.12', 'user_agent.name': 'Firefox', 'user_agent.device.name': 'Mac', 'user_agent.version': '50.0.'}
      -------------------- >> begin captured stdout << ---------------------
      Using elasticsearch: http://elasticsearch:9200
      Testing apache/access on /go/src/github.com/elastic/beats/filebeat/tests/system/../../module/apache/access/test/test.log

--------------------- >> end captured stdout << ----------------------

  • Name: Build and Test / Filebeat oss / test_fileset_file_020_apache – test_modules.Test
    • Age: 1
    • Duration: 1.818
    • Error Details: The following expected object doesn't match:
      Diff:
      {'values_changed': {"root['user_agent.device.name']": {'new_value': 'Mac', 'old_value': 'Other'}}}, full object:
      {'log.offset': 98, 'source.address': '192.168.33.1', 'source.ip': '192.168.33.1', 'fileset.name': 'access', 'url.original': '/', 'input.type': 'log', '@timestamp': '2016-12-26T16:22:00.000Z', 'service.type': 'apache', 'http.request.referrer': '-', 'http.request.method': 'GET', 'http.response.status_code': 200, 'http.response.body.bytes': 484, 'http.version': '1.1', 'event.kind': 'event', 'event.module': 'apache', 'event.category': 'web', 'event.dataset': 'apache.access', 'event.outcome': 'success', 'user.name': '-', 'user_agent.original': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36', 'user_agent.os.name': 'Mac OS X', 'user_agent.os.version': '10.12.0', 'user_agent.os.full': 'Mac OS X 10.12.0', 'user_agent.name': 'Chrome', 'user_agent.device.name': 'Mac', 'user_agent.version': '54.0.2840.98'}
      -------------------- >> begin captured stdout << ---------------------
      Using elasticsearch: http://elasticsearch:9200
      Testing apache/access on /go/src/github.com/elastic/beats/filebeat/tests/system/../../module/apache/access/test/ubuntu-2.2.22.log

--------------------- >> end captured stdout << ----------------------

  • Name: Build and Test / Filebeat oss / test_fileset_file_021_apache – test_modules.Test
    • Age: 1
    • Duration: 1.858
    • Error Details: The following expected object doesn't match:
      Diff:
      {'values_changed': {"root['user_agent.device.name']": {'new_value': 'Mac', 'old_value': 'Other'}}}, full object:
      {'log.offset': 0, 'destination.domain': 'vhost1.domaine.fr', 'source.ip': '192.168.33.2', 'fileset.name': 'access', 'url.original': '/hello', 'input.type': 'log', '@timestamp': '2016-12-26T16:22:14.000Z', 'service.type': 'apache', 'http.request.referrer': '-', 'http.request.method': 'GET', 'http.response.status_code': 404, 'http.response.body.bytes': 499, 'http.version': '1.1', 'event.kind': 'event', 'event.module': 'apache', 'event.category': 'web', 'event.dataset': 'apache.access', 'event.outcome': 'failure', 'user.name': '-', 'user_agent.original': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:50.0) Gecko/20100101 Firefox/50.0', 'user_agent.os.name': 'Mac OS X', 'user_agent.os.version': '10.12', 'user_agent.os.full': 'Mac OS X 10.12', 'user_agent.name': 'Firefox', 'user_agent.device.name': 'Mac', 'user_agent.version': '50.0.'}
      -------------------- >> begin captured stdout << ---------------------
      Using elasticsearch: http://elasticsearch:9200
      Testing apache/access on /go/src/github.com/elastic/beats/filebeat/tests/system/../../module/apache/access/test/test-vhost.log

--------------------- >> end captured stdout << ----------------------

  • Name: Build and Test / Filebeat oss / test_fileset_file_028_iis – test_modules.Test
    • Age: 1
    • Duration: 1.874
    • Error Details: The following expected object doesn't match:
      Diff:
      {'values_changed': {"root['user_agent.device.name']": {'new_value': 'Mac', 'old_value': 'Other'}}}, full object:
      {'log.offset': 1204, 'destination.address': '127.0.0.1', 'destination.port': 80, 'destination.domain': 'example.com', 'destination.ip': '127.0.0.1', 'source.geo.continent_name': 'Europe', 'source.geo.region_iso_code': 'DE-BE', 'source.geo.city_name': 'Berlin', 'source.geo.country_iso_code': 'DE', 'source.geo.region_name': 'Land Berlin', 'source.geo.location.lon': 13.4531, 'source.geo.location.lat': 52.4473, 'source.as.number': 6805, 'source.as.organization.name': 'Telefonica Germany', 'source.address': '85.181.35.98', 'source.ip': '85.181.35.98', 'fileset.name': 'access', 'url.path': '/', 'input.type': 'log', 'iis.access.site_name': 'W3SVC1', 'iis.access.server_name': 'MACHINE-NAME', 'iis.access.sub_status': 0, 'iis.access.win32_status': 0, '@timestamp': '2018-01-01T10:11:12.000Z', 'related.ip': ['85.181.35.98', '127.0.0.1'], 'service.type': 'iis', 'http.request.method': 'GET', 'http.request.body.bytes': 456, 'http.response.status_code': 200, 'http.response.body.bytes': 123, 'http.version': '1.1', 'event.duration': 789000000, 'event.kind': 'event', 'event.module': 'iis', 'event.category': ['web', 'network'], 'event.type': ['connection'], 'event.dataset': 'iis.access', 'event.outcome': 'success', 'user_agent.original': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36', 'user_agent.os.name': 'Mac OS X', 'user_agent.os.version': '10.14.0', 'user_agent.os.full': 'Mac OS X 10.14.0', 'user_agent.name': 'Chrome', 'user_agent.device.name': 'Mac', 'user_agent.version': '70.0.3538.102'}
      -------------------- >> begin captured stdout << ---------------------
      Using elasticsearch: http://elasticsearch:9200
      Testing iis/access on /go/src/github.com/elastic/beats/filebeat/tests/system/../../module/iis/access/test/test.log

--------------------- >> end captured stdout << ----------------------

  • Name: Build and Test / Filebeat oss / test_fileset_file_031_iis – test_modules.Test
    • Age: 1
    • Duration: 2.025
    • Error Details: The following expected object doesn't match:
      Diff:
      {'values_changed': {"root['user_agent.device.name']": {'new_value': 'Mac', 'old_value': 'Other'}}}, full object:
      {'log.offset': 331, 'destination.address': '::1%0', 'destination.port': 80, 'destination.domain': 'example.com', 'destination.ip': '::1', 'source.address': '::1%0', 'source.ip': '::1', 'fileset.name': 'access', 'url.path': '/', 'input.type': 'log', 'iis.access.site_name': 'W3SVC1', 'iis.access.server_name': 'MACHINE-NAME', 'iis.access.sub_status': 0, 'iis.access.win32_status': 0, '@timestamp': '2018-01-01T10:11:12.000Z', 'related.ip': ['::1', '::1'], 'service.type': 'iis', 'http.request.method': 'GET', 'http.request.body.bytes': 456, 'http.response.status_code': 200, 'http.response.body.bytes': 123, 'http.version': '1.1', 'event.duration': 789000000, 'event.kind': 'event', 'event.module': 'iis', 'event.category': ['web', 'network'], 'event.type': ['connection'], 'event.dataset': 'iis.access', 'event.outcome': 'success', 'user_agent.original': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36', 'user_agent.os.name': 'Mac OS X', 'user_agent.os.version': '10.14.0', 'user_agent.os.full': 'Mac OS X 10.14.0', 'user_agent.name': 'Chrome', 'user_agent.device.name': 'Mac', 'user_agent.version': '70.0.3538.102'}
      -------------------- >> begin captured stdout << ---------------------
      Using elasticsearch: http://elasticsearch:9200
      Testing iis/access on /go/src/github.com/elastic/beats/filebeat/tests/system/../../module/iis/access/test/test-ipv6zone.log

--------------------- >> end captured stdout << ----------------------

  • Name: Build and Test / Filebeat oss / test_fileset_file_097_nginx – test_modules.Test
    • Age: 1
    • Duration: 2.542
    • Error Details: The following expected object doesn't match:
      Diff:
      {'values_changed': {"root['user_agent.device.name']": {'new_value': 'Mac', 'old_value': 'Other'}}}, full object:
      {'nginx.ingress_controller.upstream.alternative_name': '', 'nginx.ingress_controller.upstream.port': '8080', 'nginx.ingress_controller.upstream.response.status_code': 200, 'nginx.ingress_controller.upstream.response.length': 59, 'nginx.ingress_controller.upstream.response.time': 0.0, 'nginx.ingress_controller.upstream.ip': '172.17.0.5', 'nginx.ingress_controller.upstream.name': 'default-web-8080', 'nginx.ingress_controller.http.request.length': 450, 'nginx.ingress_controller.http.request.id': 'da29abf31e4d6324cebe5e7bca370709', 'nginx.ingress_controller.http.request.time': 0.001, 'nginx.ingress_controller.remote_ip_list': ['192.168.64.1'], 'log.offset': 1273, 'source.address': '192.168.64.1', 'source.ip': '192.168.64.1', 'fileset.name': 'ingress_controller', 'url.original': '/products/42', 'input.type': 'log', '@timestamp': '2020-02-07T11:55:57.000Z', 'related.ip': ['192.168.64.1'], 'service.type': 'nginx', 'http.request.method': 'GET', 'http.response.status_code': 200, 'http.response.body.bytes': 59, 'http.version': '1.1', 'event.timezone': '-02:00', 'event.kind': 'event', 'event.module': 'nginx', 'event.category': ['web'], 'event.type': ['info'], 'event.dataset': 'nginx.ingress_controller', 'event.outcome': 'success', 'user_agent.original': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36', 'user_agent.os.name': 'Mac OS X', 'user_agent.os.version': '10.14.6', 'user_agent.os.full': 'Mac OS X 10.14.6', 'user_agent.name': 'Chrome', 'user_agent.device.name': 'Mac', 'user_agent.version': '79.0.3945.130'}
      -------------------- >> begin captured stdout << ---------------------
      Using elasticsearch: http://elasticsearch:9200
      Testing nginx/ingress_controller on /go/src/github.com/elastic/beats/filebeat/tests/system/../../module/nginx/ingress_controller/test/test.log

--------------------- >> end captured stdout << ----------------------

  • Name: Build and Test / Filebeat oss / test_fileset_file_098_nginx – test_modules.Test
    • Age: 1
    • Duration: 2.357
    • Error Details: The following expected object doesn't match:
      Diff:
      {'values_changed': {"root['user_agent.device.name']": {'new_value': 'Mac', 'old_value': 'Other'}}}, full object:
      {'nginx.access.remote_ip_list': ['10.0.0.2', '10.0.0.1', '127.0.0.1'], 'log.offset': 0, 'source.address': '10.0.0.2', 'source.ip': '10.0.0.2', 'fileset.name': 'access', 'url.original': '/ocelot', 'input.type': 'log', '@timestamp': '2016-12-07T10:05:07.000Z', 'related.ip': ['10.0.0.2'], 'service.type': 'nginx', 'http.request.method': 'GET', 'http.response.status_code': 200, 'http.response.body.bytes': 571, 'http.version': '1.1', 'event.timezone': '-02:00', 'event.kind': 'event', 'event.module': 'nginx', 'event.category': ['web'], 'event.type': ['access'], 'event.dataset': 'nginx.access', 'event.outcome': 'success', 'user_agent.original': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:49.0) Gecko/20100101 Firefox/49.0', 'user_agent.os.name': 'Mac OS X', 'user_agent.os.version': '10.12', 'user_agent.os.full': 'Mac OS X 10.12', 'user_agent.name': 'Firefox', 'user_agent.device.name': 'Mac', 'user_agent.version': '49.0.'}
      -------------------- >> begin captured stdout << ---------------------
      Using elasticsearch: http://elasticsearch:9200
      Testing nginx/access on /go/src/github.com/elastic/beats/filebeat/tests/system/../../module/nginx/access/test/test.log

--------------------- >> end captured stdout << ----------------------

  • Name: Build and Test / Filebeat oss / test_fileset_file_099_nginx – test_modules.Test
    • Age: 1
    • Duration: 1.932
    • Error Details: The following expected object doesn't match:
      Diff:
      {'values_changed': {"root['user_agent.device.name']": {'new_value': 'Mac', 'old_value': 'Other'}}}, full object:
      {'nginx.access.remote_ip_list': ['77.179.66.156'], 'log.offset': 0, 'source.geo.continent_name': 'Europe', 'source.geo.region_iso_code': 'DE-RP', 'source.geo.city_name': 'Germersheim', 'source.geo.country_iso_code': 'DE', 'source.geo.region_name': 'Rheinland-Pfalz', 'source.geo.location.lon': 8.3639, 'source.geo.location.lat': 49.2231, 'source.as.number': 6805, 'source.as.organization.name': 'Telefonica Germany', 'source.address': '77.179.66.156', 'source.ip': '77.179.66.156', 'fileset.name': 'access', 'url.original': '/', 'input.type': 'log', '@timestamp': '2016-10-25T12:49:33.000Z', 'related.ip': ['77.179.66.156'], 'service.type': 'nginx', 'http.request.method': 'GET', 'http.response.status_code': 200, 'http.response.body.bytes': 612, 'http.version': '1.1', 'event.timezone': '-02:00', 'event.kind': 'event', 'event.module': 'nginx', 'event.category': ['web'], 'event.type': ['access'], 'event.dataset': 'nginx.access', 'event.outcome': 'success', 'user_agent.original': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.59 Safari/537.36', 'user_agent.os.name': 'Mac OS X', 'user_agent.os.version': '10.12.0', 'user_agent.os.full': 'Mac OS X 10.12.0', 'user_agent.name': 'Chrome', 'user_agent.device.name': 'Mac', 'user_agent.version': '54.0.2840.59'}
      -------------------- >> begin captured stdout << ---------------------
      Using elasticsearch: http://elasticsearch:9200
      Testing nginx/access on /go/src/github.com/elastic/beats/filebeat/tests/system/../../module/nginx/access/test/access.log

--------------------- >> end captured stdout << ----------------------

  • Name: Build and Test / Filebeat oss / test_fileset_file_100_nginx – test_modules.Test
    • Age: 1
    • Duration: 1.921
    • Error Details: The following expected object doesn't match:
      Diff:
      {'values_changed': {"root['user_agent.device.name']": {'new_value': 'Mac', 'old_value': 'Other'}}}, full object:
      {'nginx.access.remote_ip_list': ['10.0.0.2', '10.0.0.1', '127.0.0.1'], 'log.offset': 0, 'destination.domain': 'example.com', 'source.address': '10.0.0.2', 'source.ip': '10.0.0.2', 'fileset.name': 'access', 'url.original': '/ocelot', 'input.type': 'log', '@timestamp': '2016-12-07T10:05:07.000Z', 'related.ip': ['10.0.0.2'], 'service.type': 'nginx', 'http.request.method': 'GET', 'http.response.status_code': 200, 'http.response.body.bytes': 571, 'http.version': '1.1', 'event.timezone': '-02:00', 'event.kind': 'event', 'event.module': 'nginx', 'event.category': ['web'], 'event.type': ['access'], 'event.dataset': 'nginx.access', 'event.outcome': 'success', 'user_agent.original': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:49.0) Gecko/20100101 Firefox/49.0', 'user_agent.os.name': 'Mac OS X', 'user_agent.os.version': '10.12', 'user_agent.os.full': 'Mac OS X 10.12', 'user_agent.name': 'Firefox', 'user_agent.device.name': 'Mac', 'user_agent.version': '49.0.'}
      -------------------- >> begin captured stdout << ---------------------
      Using elasticsearch: http://elasticsearch:9200
      Testing nginx/access on /go/src/github.com/elastic/beats/filebeat/tests/system/../../module/nginx/access/test/test-with-host.log

--------------------- >> end captured stdout << ----------------------

Steps errors

Expand to view the steps failures

  • Name: Make testsuite

    • Description: make -C filebeat testsuite

    • Duration: 32 min 35 sec

    • Start Time: 2020-07-23T03:30:21.566+0000

    • log

  • Name: Mage update build test

    • Description: mage update build test

    • Duration: 31 min 49 sec

    • Start Time: 2020-07-23T03:30:37.654+0000

    • log

Log output

Expand to view the last 100 lines of log output 

[2020-07-23T04:02:25.906Z] + FILE=libbeat/build/coverage/full.cov
[2020-07-23T04:02:25.906Z] + '[' -f libbeat/build/coverage/full.cov ']'
[2020-07-23T04:02:25.906Z] + for i in '"$@"'
[2020-07-23T04:02:25.906Z] + FILE=metricbeat/build/coverage/full.cov
[2020-07-23T04:02:25.906Z] + '[' -f metricbeat/build/coverage/full.cov ']'
[2020-07-23T04:02:25.906Z] + for i in '"$@"'
[2020-07-23T04:02:25.906Z] + FILE=packetbeat/build/coverage/full.cov
[2020-07-23T04:02:25.906Z] + '[' -f packetbeat/build/coverage/full.cov ']'
[2020-07-23T04:02:25.906Z] + for i in '"$@"'
[2020-07-23T04:02:25.906Z] + FILE=winlogbeat/build/coverage/full.cov
[2020-07-23T04:02:25.906Z] + '[' -f winlogbeat/build/coverage/full.cov ']'
[2020-07-23T04:02:27.233Z] Failed in branch Filebeat x-pack
[2020-07-23T04:02:28.577Z] + .ci/scripts/report-codecov.sh auditbeat filebeat heartbeat journalbeat libbeat metricbeat packetbeat winlogbeat
[2020-07-23T04:02:28.577Z] + CODECOV_URL=https://codecov.io/bash
[2020-07-23T04:02:28.577Z] + '[' -e /usr/local/bin/bash_standard_lib.sh ']'
[2020-07-23T04:02:28.577Z] + source /usr/local/bin/bash_standard_lib.sh
[2020-07-23T04:02:28.577Z] ++ readonly CACHE_DIR=/var/lib/jenkins/workspace/Beats_beats_PR-20176/.git-references
[2020-07-23T04:02:28.577Z] ++ CACHE_DIR=/var/lib/jenkins/workspace/Beats_beats_PR-20176/.git-references
[2020-07-23T04:02:28.577Z] ++ declare -a cloned_git_repos
[2020-07-23T04:02:28.577Z] + retry 3 curl -sSLo codecov https://codecov.io/bash
[2020-07-23T04:02:28.577Z] + local retries=3
[2020-07-23T04:02:28.577Z] + shift
[2020-07-23T04:02:28.577Z] + local count=0
[2020-07-23T04:02:28.577Z] + curl -sSLo codecov https://codecov.io/bash
[2020-07-23T04:02:28.845Z] + return 0
[2020-07-23T04:02:28.845Z] + for i in '"$@"'
[2020-07-23T04:02:28.845Z] + FILE=auditbeat/build/coverage/full.cov
[2020-07-23T04:02:28.845Z] + '[' -f auditbeat/build/coverage/full.cov ']'
[2020-07-23T04:02:28.845Z] + for i in '"$@"'
[2020-07-23T04:02:28.845Z] + FILE=filebeat/build/coverage/full.cov
[2020-07-23T04:02:28.845Z] + '[' -f filebeat/build/coverage/full.cov ']'
[2020-07-23T04:02:28.845Z] + for i in '"$@"'
[2020-07-23T04:02:28.845Z] + FILE=heartbeat/build/coverage/full.cov
[2020-07-23T04:02:28.845Z] + '[' -f heartbeat/build/coverage/full.cov ']'
[2020-07-23T04:02:28.845Z] + for i in '"$@"'
[2020-07-23T04:02:28.845Z] + FILE=journalbeat/build/coverage/full.cov
[2020-07-23T04:02:28.845Z] + '[' -f journalbeat/build/coverage/full.cov ']'
[2020-07-23T04:02:28.845Z] + for i in '"$@"'
[2020-07-23T04:02:28.845Z] + FILE=libbeat/build/coverage/full.cov
[2020-07-23T04:02:28.845Z] + '[' -f libbeat/build/coverage/full.cov ']'
[2020-07-23T04:02:28.845Z] + for i in '"$@"'
[2020-07-23T04:02:28.845Z] + FILE=metricbeat/build/coverage/full.cov
[2020-07-23T04:02:28.845Z] + '[' -f metricbeat/build/coverage/full.cov ']'
[2020-07-23T04:02:28.845Z] + for i in '"$@"'
[2020-07-23T04:02:28.845Z] + FILE=packetbeat/build/coverage/full.cov
[2020-07-23T04:02:28.845Z] + '[' -f packetbeat/build/coverage/full.cov ']'
[2020-07-23T04:02:28.845Z] + for i in '"$@"'
[2020-07-23T04:02:28.845Z] + FILE=winlogbeat/build/coverage/full.cov
[2020-07-23T04:02:28.845Z] + '[' -f winlogbeat/build/coverage/full.cov ']'
[2020-07-23T04:02:30.014Z] Failed in branch Filebeat oss
[2020-07-23T04:02:30.158Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-20176/src/github.com/elastic/beats
[2020-07-23T04:02:30.474Z] + find . -type f -name TEST*.xml -path */build/* -delete
[2020-07-23T04:02:30.487Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-20176/src/github.com/elastic/beats/Lint
[2020-07-23T04:02:30.573Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-20176/src/github.com/elastic/beats/Filebeat-x-pack-Mac-OS-X
[2020-07-23T04:02:30.649Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-20176/src/github.com/elastic/beats/Filebeat-x-pack-Windows
[2020-07-23T04:02:30.726Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-20176/src/github.com/elastic/beats/Filebeat-Windows
[2020-07-23T04:02:30.804Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-20176/src/github.com/elastic/beats/Filebeat-Mac-OS-X
[2020-07-23T04:02:30.882Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-20176/src/github.com/elastic/beats/Filebeat-x-pack
[2020-07-23T04:02:30.983Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-20176/src/github.com/elastic/beats/Filebeat-oss
[2020-07-23T04:02:31.344Z] + cat
[2020-07-23T04:02:31.344Z] + /usr/local/bin/runbld ./runbld-script
[2020-07-23T04:02:31.344Z] Picked up JAVA_TOOL_OPTIONS: -Dfile.encoding=UTF8
[2020-07-23T04:02:37.951Z] runbld>>> runbld started
[2020-07-23T04:02:37.951Z] runbld>>> 1.6.12/f45d832f2ba0aa2722ab4ec1fda8ad140f027f8b
[2020-07-23T04:02:40.501Z] runbld>>> The following profiles matched the job 'Beats/beats/PR-20176' in order of occurrence in the config (last value wins).
[2020-07-23T04:02:41.458Z] runbld>>> Debug logging enabled.
[2020-07-23T04:02:41.458Z] runbld>>> Storing result
[2020-07-23T04:02:41.719Z] runbld>>> Store result: created {:total 2, :successful 2, :failed 0} 1
[2020-07-23T04:02:41.719Z] runbld>>> BUILD: https://c150076387b5421f9154dfbf536e5c60.us-west1.gcp.cloud.es.io:9243/build-1587637540455/t/20200723040241-E44F8C57
[2020-07-23T04:02:41.719Z] runbld>>> Adding system facts.
[2020-07-23T04:02:42.663Z] runbld>>> Adding vcs info for the latest commit:  b8e60bf7f071f25903361b58450d04827c1f6907
[2020-07-23T04:02:42.663Z] runbld>>> >>>>>>>>>>>> SCRIPT EXECUTION BEGIN >>>>>>>>>>>>
[2020-07-23T04:02:42.663Z] runbld>>> Adding /usr/lib/jvm/java-8-openjdk-amd64/bin to the path.
[2020-07-23T04:02:42.925Z] + echo 'Processing JUnit reports with runbld...'
[2020-07-23T04:02:42.925Z] Processing JUnit reports with runbld...
[2020-07-23T04:02:43.187Z] runbld>>> <<<<<<<<<<<< SCRIPT EXECUTION END <<<<<<<<<<<<
[2020-07-23T04:02:43.187Z] runbld>>> DURATION: 18ms
[2020-07-23T04:02:43.187Z] runbld>>> STDOUT: 40 bytes
[2020-07-23T04:02:43.187Z] runbld>>> STDERR: 49 bytes
[2020-07-23T04:02:43.187Z] runbld>>> WRAPPED PROCESS: SUCCESS (0)
[2020-07-23T04:02:43.187Z] runbld>>> Searching for build metadata in /var/lib/jenkins/workspace/Beats_beats_PR-20176/src/github.com/elastic/beats
[2020-07-23T04:02:44.578Z] runbld>>> Storing build metadata: 
[2020-07-23T04:02:44.578Z] runbld>>> Adding test report.
[2020-07-23T04:02:44.578Z] runbld>>> Searching for junit test output files with the pattern: TEST-.*\.xml$ in: /var/lib/jenkins/workspace/Beats_beats_PR-20176/src/github.com/elastic/beats
[2020-07-23T04:02:45.152Z] runbld>>> Found 13 test output files
[2020-07-23T04:02:46.540Z] runbld>>> Test output logs contained: Errors: 0 Failures: 19 Tests: 4951 Skipped: 661
[2020-07-23T04:02:46.803Z] runbld>>> Storing result
[2020-07-23T04:02:46.803Z] runbld>>> FAILURES: 19
[2020-07-23T04:02:51.021Z] runbld>>> Store result: updated {:total 2, :successful 2, :failed 0} 2
[2020-07-23T04:02:51.022Z] runbld>>> BUILD: https://c150076387b5421f9154dfbf536e5c60.us-west1.gcp.cloud.es.io:9243/build-1587637540455/t/20200723040241-E44F8C57
[2020-07-23T04:02:51.022Z] runbld>>> Email notification disabled by environment variable.
[2020-07-23T04:02:51.022Z] runbld>>> Slack notification disabled by environment variable.
[2020-07-23T04:02:56.578Z] Running on Jenkins in /var/lib/jenkins/workspace/Beats_beats_PR-20176
[2020-07-23T04:02:56.689Z] [INFO] getVaultSecret: Getting secrets
[2020-07-23T04:02:56.766Z] Masking supported pattern matches of $VAULT_ADDR or $VAULT_ROLE_ID or $VAULT_SECRET_ID
[2020-07-23T04:02:57.510Z] + chmod 755 generate-build-data.sh
[2020-07-23T04:02:57.510Z] + ./generate-build-data.sh https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats/PR-20176/ https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats/PR-20176/runs/2 FAILURE 3481174
[2020-07-23T04:02:57.510Z] INFO: curl https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats/PR-20176/runs/2/steps/?limit=10000 -o steps-info.json
[2020-07-23T04:02:58.061Z] INFO: curl https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats/PR-20176/runs/2/tests/?status=FAILED -o tests-errors.json
[2020-07-23T04:02:58.611Z] INFO: curl https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats/PR-20176/runs/2/log/ -o pipeline-log.txt

@andrewstucki andrewstucki merged commit dee93b2 into elastic:7.x Jul 23, 2020
@zube zube bot removed the [zube]: Done label Oct 22, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@andrewkroh andrewkroh andrewkroh approved these changes

Assignees

No one assigned

Labels

backport

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@andrewstucki @elasticmachine @andrewkroh