[Infoblox NIOS] Update timestamp parsing logic#8767
Merged
kcreddy merged 6 commits intoelastic:mainfrom Dec 21, 2023
Merged
Conversation
🚀 Benchmarks reportTo see the full report comment with |
|
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
efd6
reviewed
Dec 21, 2023
Contributor
efd6
left a comment
There was a problem hiding this comment.
AFAICS the ordering of the timestamps is coming from the structure of the event. Is this the case? If so, I think it would be helpful to make this clear in the commit message. If not, can you explain the logic more clearly?
Comment on lines
-35
to
-37
| - remove: | ||
| field: event.created | ||
| ignore_missing: true |
Contributor
There was a problem hiding this comment.
Should this deletion also happen in the next date processor?
Contributor
Author
There was a problem hiding this comment.
I've made logic bit clearer and this is irrelevant now.
Contributor
Author
I've made commit message more clearer. Let me know if that explains the issue. Thanks! |
efd6
approved these changes
Dec 21, 2023
|
Package infoblox_nios - 1.19.3 containing this change is available at https://epr.elastic.co/search?package=infoblox_nios |
v1v
added a commit
that referenced
this pull request
Dec 21, 2023
* upstream/main: (117 commits) [TI MISP] Add IOC expiration support (#8639) Add CSPM Rules 6.2, 6.3 and 6.4 (#8778) [Infoblox NIOS] Update timestamp parsing logic (#8767) [Rapid7 InsightVM] Split vulnerability categories into array (#8768) [Exchange Online Message Trace] Add Additional Look-back Time & Fix Cursor Value (#8717) [Buildkite] Update bucket settings (#8765) Remove Jenkins .ci folder (#8766) First part of removal of Jenkins jobs (#8763) misp: parse URIs for URI type threats (#8760) [amazon_security_lake] Added support for all the OCSF Classes (#8579) [Buildkite] Update settings for integrations pipeline (#8758) [TI ThreatQ] Add IOC expiration support (#8691) [ti_opencti] Support OpenCTI 5.12 by removing filters parameter (#8744) [Cribl] Updating setup guidance for Cribl field (#8746) crowdstrike: add userinfo enrichment support and map fields to ECS (#8742) [etcd] Enable TSDB for metrics datastream (#8649) Bump golang.org/x/crypto from 0.16.0 to 0.17.0 (#8749) auditd: relax field_split pattern and handle AVC header (#8748) Update cloud packages codeowner (#8672) [O11Y] [AWS Billing] Convert "Total Estimated Charges" visualization to new metric (#8509) ...
qcorporation
pushed a commit
that referenced
this pull request
Feb 3, 2025
* upstream/main: (117 commits) [TI MISP] Add IOC expiration support (#8639) Add CSPM Rules 6.2, 6.3 and 6.4 (#8778) [Infoblox NIOS] Update timestamp parsing logic (#8767) [Rapid7 InsightVM] Split vulnerability categories into array (#8768) [Exchange Online Message Trace] Add Additional Look-back Time & Fix Cursor Value (#8717) [Buildkite] Update bucket settings (#8765) Remove Jenkins .ci folder (#8766) First part of removal of Jenkins jobs (#8763) misp: parse URIs for URI type threats (#8760) [amazon_security_lake] Added support for all the OCSF Classes (#8579) [Buildkite] Update settings for integrations pipeline (#8758) [TI ThreatQ] Add IOC expiration support (#8691) [ti_opencti] Support OpenCTI 5.12 by removing filters parameter (#8744) [Cribl] Updating setup guidance for Cribl field (#8746) crowdstrike: add userinfo enrichment support and map fields to ECS (#8742) [etcd] Enable TSDB for metrics datastream (#8649) Bump golang.org/x/crypto from 0.16.0 to 0.17.0 (#8749) auditd: relax field_split pattern and handle AVC header (#8748) Update cloud packages codeowner (#8672) [O11Y] [AWS Billing] Convert "Total Estimated Charges" visualization to new metric (#8509) ...
qcorporation
pushed a commit
that referenced
this pull request
Feb 4, 2025
* upstream/main: (117 commits) [TI MISP] Add IOC expiration support (#8639) Add CSPM Rules 6.2, 6.3 and 6.4 (#8778) [Infoblox NIOS] Update timestamp parsing logic (#8767) [Rapid7 InsightVM] Split vulnerability categories into array (#8768) [Exchange Online Message Trace] Add Additional Look-back Time & Fix Cursor Value (#8717) [Buildkite] Update bucket settings (#8765) Remove Jenkins .ci folder (#8766) First part of removal of Jenkins jobs (#8763) misp: parse URIs for URI type threats (#8760) [amazon_security_lake] Added support for all the OCSF Classes (#8579) [Buildkite] Update settings for integrations pipeline (#8758) [TI ThreatQ] Add IOC expiration support (#8691) [ti_opencti] Support OpenCTI 5.12 by removing filters parameter (#8744) [Cribl] Updating setup guidance for Cribl field (#8746) crowdstrike: add userinfo enrichment support and map fields to ECS (#8742) [etcd] Enable TSDB for metrics datastream (#8649) Bump golang.org/x/crypto from 0.16.0 to 0.17.0 (#8749) auditd: relax field_split pattern and handle AVC header (#8748) Update cloud packages codeowner (#8672) [O11Y] [AWS Billing] Convert "Total Estimated Charges" visualization to new metric (#8509) ...
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Proposed commit message
There are 2 style of log formats (regards to how timestamps are handled).
<29>Mar 21 09:53:51 infoblox.localdomain httpd[]: 2022-03-18 13:24:41.705Z [admin]: ........<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[2567]: ............Event 1: Contains 2 timestamps inside the log. In current default pipeline, the first timestamp
Mar 21 09:53:51is set asevent.createdand then individual pipelines sets second timestamp as@timestampif present.Event 2: Contains 1 timestamp inside the log. In current default pipeline, the only timestamp
Mar 27 08:32:59is set asevent.createdand a set processor copies that into@timestampif@timestampis not already present from individual pipelines.But, when Logstash is involved in between Agent and Elasticsearch, it adds
@timestampto the event before ingest pipeline. Hence, the logs format 2, i.e., containing single timestamp, skips the set processor leading to incorrect@timestampvalues and also not conforming to ECS norm @timestamp < event.created < event.ingested.This PR fixes the problem by:
@timestampinside them.override: truein the default pipeline, thus overriding the value of@timestampwith event's timestamp.Checklist
changelog.ymlfile.How to test this PR locally
elastic-package stack down && elastic-package build && elastic-package stack up --version=8.11.0 -d -v --services=elasticsearch && eval "$(elastic-package stack shellinit)" && elastic-package test pipeline --generate -v