Skip to content

Add ISO8601 as supported timestamp type#25564

Merged
leehinman merged 4 commits intoelastic:masterfrom
weslambert:master
Jun 10, 2021
Merged

Add ISO8601 as supported timestamp type#25564
leehinman merged 4 commits intoelastic:masterfrom
weslambert:master

Conversation

@weslambert
Copy link
Copy Markdown
Contributor

@weslambert weslambert commented May 5, 2021
edited
Loading

Enhancement

What does this PR do?

This PR allows the ability to parse Zeek logs that are written with ISO8601 timestamps.

Why is it important?

ISO8601 timestamps provide a way to view raw log timestamps easily. By being able to keep these timestamps in the raw logs and have them be parsed correctly when being ingested into the Elastic ecosystem, we get the best of both worlds.

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works
  • I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

How to test this PR locally

Redef LogAscii::json_timestamps = JSON::TS_ISO8601; for Zeek and have it write logs with ISO8601 timestamps.

The date processor will fail for the ts field, etc.

Apply ISO8601 as an additional format option for ts, etc in pipeline.yml.

Verify log is correctly parsed and ingested into Elasticsearch.

@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label May 5, 2021
@elasticmachine
Copy link
Copy Markdown
Contributor

elasticmachine commented May 5, 2021
edited by jenkins-beats-ci bot
Loading

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS
Pipeline View Test View Changes Artifacts preview

Expand to view the summary

Build stats

  • Build Cause: Pull request #25564 updated

  • Start Time: 2021-06-09T21:32:22.107+0000

  • Duration: 103 min 0 sec

  • Commit: 85f844c

Test stats 🧪

Test Results
Failed 0
Passed 7312
Skipped 1193
Total 8505

Trends 🧪

Image of Build Times

Image of Tests

💚 Flaky test report

Tests succeeded.

Expand to view the summary

Test stats 🧪

Test Results
Failed 0
Passed 7312
Skipped 1193
Total 8505

@elasticmachine
Copy link
Copy Markdown
Contributor

elasticmachine commented May 6, 2021

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label May 6, 2021
@andrewkroh andrewkroh added enhancement Filebeat Filebeat needs_integration_sync Changes in this PR need synced to elastic/integrations. labels May 17, 2021
@leehinman leehinman self-assigned this Jun 9, 2021
@mergify
Copy link
Copy Markdown
Contributor

mergify bot commented Jun 9, 2021

This pull request is now in conflicts. Could you fix it? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b master upstream/master
git merge upstream/master
git push upstream master

@leehinman leehinman added the backport-v7.14.0 Automated backport with mergify label Jun 9, 2021
@leehinman leehinman merged commit 7edb457 into elastic:master Jun 10, 2021
mergify bot pushed a commit that referenced this pull request Jun 10, 2021
@weslambert @leehinman
Add ISO8601 as supported timestamp type (#25564)
cb96270 
* Add ISO8601 as supported timestamp type

Co-authored-by: Lee E. Hinman <lee.e.hinman@elastic.co>
(cherry picked from commit 7edb457)
@mergify mergify bot mentioned this pull request Jun 10, 2021
Merged
@leehinman leehinman mentioned this pull request Jun 10, 2021
Merged
3 tasks
leehinman pushed a commit that referenced this pull request Jun 10, 2021
@mergify @weslambert
Add ISO8601 as supported timestamp type (#25564) (#26238)
5854d35 
* Add ISO8601 as supported timestamp type

Co-authored-by: Lee E. Hinman <lee.e.hinman@elastic.co>
(cherry picked from commit 7edb457)

Co-authored-by: weslambert <wlambertts@gmail.com>
leehinman added a commit to leehinman/integrations that referenced this pull request Jun 17, 2021
@leehinman
zeek add support for iso8601 timestamps
d0b414f 
- relates elastic/beats#25564
leehinman added a commit to elastic/integrations that referenced this pull request Jun 17, 2021
@leehinman
zeek add support for iso8601 timestamps (#1118)
c62b2c4 
- relates elastic/beats#25564
mdelapenya added a commit to mdelapenya/beats that referenced this pull request Jun 21, 2021
@mdelapenya
Merge branch 'master' into archive-system-tests
30ccbed 
* master: (26 commits)
  Report total and free CPU for vSphere virtual machines (elastic#26167)
  [filebeat] Add preserve_original_event option to o365audit input (elastic#26273)
  Change xml processor names in script processor to match convention (elastic#26263)
  [Oracle] Fixing default values for paths in config template (elastic#26276)
  Add more ECS fields to logs (elastic#25998)
  [Heartbeat] Fix broken invocation of synth package (elastic#26228)
  rename sqs file name (elastic#26227)
  Populate the agent action result if there is no matching action handlers (elastic#26152)
  Add ISO8601 as supported timestamp type (elastic#25564)
  Move Filebeat azure module to GA (elastic#26168)
  Filebeat azure module pipeline fixes and changes (elastic#26148)
  libbeat: monitor version (elastic#26214)
  Add new parser to filestream input: container (elastic#26115)
  [Metricbeat] Add state_statefulset replicas.ready (elastic#26088)
  Disable test processors system test for windows 10 (elastic#26216)
  Fix startup with failing configuration (elastic#26126)
  Remove 32 bits version of Elastic Agent. (elastic#25708)
  Chane fleetmode detection to ony use management.enabled (elastic#26180)
  Make `filestream` input GA (elastic#26127)
  libbeat/idxmgmt/ilm: fix alias creation (elastic#26146)
  ...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@leehinman leehinman leehinman approved these changes

Assignees

@leehinman leehinman

Labels

backport-v7.14.0 Automated backport with mergify enhancement Filebeat Filebeat needs_integration_sync Changes in this PR need synced to elastic/integrations.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@weslambert @elasticmachine @leehinman @andrewkroh @ChrsMark @jamiehynds