Skip to content

Add third-party REST API#545

Merged
leehinman merged 2 commits intoelastic:masterfrom
leehinman:apache_httpjson_poc
Mar 11, 2021
Merged

Add third-party REST API#545
leehinman merged 2 commits intoelastic:masterfrom
leehinman:apache_httpjson_poc

Conversation

@leehinman
Copy link
Copy Markdown
Contributor

@leehinman leehinman commented Jan 20, 2021
edited
Loading

What does this PR do?

Adds third-party REST API to several packages. This allows pulling data from Splunk REST API.

  • Apache
  • nginx
  • AWS Cloudtrail
  • Zeek

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all datasets collect metrics or logs.

Screenshots

Add Apache Integration Screen

Screen Shot 2021-03-10 at 15 00 55

Third-Party REST API Configuration

Screen Shot 2021-03-10 at 15 04 29

Example ingested document

{
  "_index": "filebeat-8.0.0-2021.01.11-000001",
  "_type": "_doc",
  "_id": "d9a88109c64ba572d8319e3325901415ff78f6b6fae8346d38c28c98010ee0b0",
  "_version": 1,
  "_score": null,
  "_source": {
    "agent": {
      "name": "Lees-MacBook-Pro.local",
      "id": "7b45f55c-a54b-4f81-a8e5-8b4033d14305",
      "type": "filebeat",
      "ephemeral_id": "3170de0e-eb99-4784-b17e-eb4292443378",
      "version": "8.0.0"
    },
    "source": {
      "address": "127.0.0.1",
      "ip": "127.0.0.1"
    },
    "fileset": {
      "name": "access"
    },
    "url": {
      "original": "/"
    },
    "tags": [
      "forwarded"
    ],
    "input": {
      "type": "httpjson"
    },
    "file": {
      "path": "/var/log/apache2/access.log"
    },
    "apache": {
      "access": {}
    },
    "@timestamp": "2021-01-12T17:45:52.000Z",
    "ecs": {
      "version": "1.7.0"
    },
    "service": {
      "type": "apache"
    },
    "host": {
      "name": "ubuntu-bionic"
    },
    "http": {
      "request": {
        "referrer": "-",
        "method": "GET"
      },
      "response": {
        "status_code": 200,
        "body": {
          "bytes": 11173
        }
      },
      "version": "1.1"
    },
    "event": {
      "ingested": "2021-01-12T17:46:01.271439318Z",
      "kind": "event",
      "created": "2021-01-12T17:46:00.241Z",
      "module": "apache",
      "category": "web",
      "dataset": "apache.access",
      "outcome": "success"
    },
    "user": {
      "name": "-"
    },
    "user_agent": {
      "original": "curl/7.58.0",
      "name": "curl",
      "device": {
        "name": "Other"
      },
      "version": "7.58.0"
    }
  },
  "fields": {
    "event.ingested": [
      "2021-01-12T17:46:01.271Z"
    ],
    "@timestamp": [
      "2021-01-12T17:45:52.000Z"
    ],
    "event.created": [
      "2021-01-12T17:46:00.241Z"
    ]
  },
  "sort": [
    1610473552000
  ]
}

@leehinman leehinman force-pushed the apache_httpjson_poc branch from 687f5b7 to a04e10d Compare February 5, 2021 16:18
@leehinman leehinman changed the title httpjson for apache access and error Add third-party REST API Feb 5, 2021
@elasticmachine
Copy link
Copy Markdown

elasticmachine commented Feb 5, 2021
edited
Loading

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS
Pipeline View Test View Changes Artifacts preview

Expand to view the summary

Build stats

  • Build Cause: Pull request #545 updated

  • Start Time: 2021-03-10T21:13:49.730+0000

  • Duration: 32 min 23 sec

  • Commit: ce66995

Test stats 🧪

Test Results
Failed 0
Passed 445
Skipped 0
Total 445

Trends 🧪

Image of Build Times

Image of Tests

@leehinman leehinman force-pushed the apache_httpjson_poc branch from a04e10d to cc7d8c2 Compare February 9, 2021 20:33
@leehinman leehinman force-pushed the apache_httpjson_poc branch 4 times, most recently from d32aa06 to faa2773 Compare February 25, 2021 16:15
@leehinman leehinman marked this pull request as ready for review February 25, 2021 16:24
@elasticmachine
Copy link
Copy Markdown

elasticmachine commented Feb 25, 2021

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

andrewkroh
andrewkroh reviewed Mar 2, 2021
View reviewed changes
Copy link
Copy Markdown
Member

@andrewkroh andrewkroh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would really like to see some tests that exercise the httpjson part of the config. This is the idea I had when I was thinking about how to test some other packages that use httpjson (like google workspace and okta): https://github.com/andrewkroh/stream/issues/9

packages/apache/data_stream/access/agent/stream/httpjson.yml.hbs Outdated
Copy link
Copy Markdown
Member

@andrewkroh andrewkroh Mar 2, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks misspelled.

packages/apache/manifest.yml Outdated
Copy link
Copy Markdown
Member

@andrewkroh andrewkroh Mar 2, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There are quite a few possible SSL options available. I suggest hiding the SSL options under an advanced setting and letting users configure it as YAML. Passing PEM encoded CA certs too is a little easier IMO with the textbox it gives you.

integrations/packages/zoom/data_stream/webhook/manifest.yml

Lines 40 to 50 in 8770467

- name: ssl
type: yaml
title: TLS
description: Options for enabling TLS for the listening webhook endpoint. Zoom requires webhooks listen on HTTPS. You must either provide a valid TLS certificate or use a reverse proxy in front of the integration. See the [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html) for a list of all options.
multi: false
required: false
show_user: false
default: |
enabled: false
certificate: "/etc/pki/client/cert.pem"
key: "/etc/pki/client/cert.key"

Copy link
Copy Markdown
Contributor Author

@leehinman leehinman Mar 10, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done, see if the screenshot is what you were thinking

packages/apache/data_stream/access/manifest.yml Outdated
Copy link
Copy Markdown
Member

@andrewkroh andrewkroh Mar 2, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should probably mark this with "(experimental)". Once we have a few more necessary package/fleet features we'll be able to implement this an independent package and remove these.

@leehinman leehinman mentioned this pull request Mar 8, 2021
Open
@leehinman
Add third-party REST API
e7ab467 
- apache
- nginx
- zeek
- aws/cloudtrail
@leehinman
Incorporate feedback
ce66995
@leehinman leehinman force-pushed the apache_httpjson_poc branch from faa2773 to ce66995 Compare March 10, 2021 21:13
@leehinman leehinman merged commit 399e8b0 into elastic:master Mar 11, 2021
leehinman added a commit that referenced this pull request Mar 11, 2021
@leehinman
Revert "Add third-party REST API (#545)"
d1d716d 
This reverts commit 399e8b0.
@leehinman leehinman mentioned this pull request Mar 11, 2021
Closed
@leehinman leehinman deleted the apache_httpjson_poc branch September 28, 2021 20:22
@herrBez herrBez mentioned this pull request Nov 6, 2025
Closed
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@andrewkroh andrewkroh andrewkroh approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@leehinman @elasticmachine @andrewkroh @andresrc