Set netflow event.created to use current timestamp (elastic#23094)

* Update event.created to use current timestamp * Update golden files, add changelog Co-authored-by: Andrew Kroh <[email protected]>
andrewkroh · Jan 14, 2021 · 6986c84 · 6986c84
1 parent 72eb969
commit 6986c84
Show file tree

Hide file tree

Showing 47 changed files with 9 additions and 474 deletions.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -267,6 +267,8 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Fix integer overflow in S3 offsets when collecting very large files. {pull}22523[22523]
 - Fix various processing errors in the Suricata module. {pull}23236[23236]
 - Fix CredentialsJSON unpacking for `gcp-pubsub` and `httpjson` inputs. {pull}23277[23277]
+- Change the `event.created` in Netflow events to be the time the event was created by Filebeat
+  to be consistent with ECS. {pull}23094[23094]
 
 *Filebeat*
 

diff --git a/x-pack/filebeat/input/netflow/convert.go b/x-pack/filebeat/input/netflow/convert.go
@@ -65,7 +65,7 @@ func toBeatEventCommon(flow record.Record) (event beat.Event) {
 
 	// ECS Fields -- event
 	ecsEvent := common.MapStr{
-		"created":  flow.Timestamp,
+		"created":  time.Now().UTC(),
 		"kind":     "event",
 		"category": []string{"network_traffic", "network"},
 		"action":   flow.Fields["type"],

diff --git a/x-pack/filebeat/input/netflow/netflow_test.go b/x-pack/filebeat/input/netflow/netflow_test.go
@@ -197,7 +197,9 @@ func getFlowsFromDat(t testing.TB, name string, testCase TestCase) TestResult {
 			}
 			ev := make([]beat.Event, len(flows))
 			for i := range flows {
-				ev[i] = toBeatEvent(flows[i], []string{"private"})
+				flow := toBeatEvent(flows[i], []string{"private"})
+				flow.Fields.Delete("event.created")
+				ev[i] = flow
 			}
 			//return TestResult{Name: name, Error: err.Error(), Events: flowsToEvents(flows)}
 			events = append(events, ev...)
@@ -242,7 +244,9 @@ func getFlowsFromPCAP(t testing.TB, name, pcapFile string) TestResult {
 		}
 		ev := make([]beat.Event, len(flows))
 		for i := range flows {
-			ev[i] = toBeatEvent(flows[i], []string{"private"})
+			flow := toBeatEvent(flows[i], []string{"private"})
+			flow.Fields.Delete("event.created")
+			ev[i] = flow
 		}
 		events = append(events, ev...)
 	}

diff --git a/...t/input/netflow/testdata/golden/IPFIX-Barracuda-extended-uniflow-template-256.golden.json b/...t/input/netflow/testdata/golden/IPFIX-Barracuda-extended-uniflow-template-256.golden.json
@@ -16,7 +16,6 @@
             "network_traffic",
             "network"
           ],
-          "created": "2018-04-18T08:16:47Z",
           "duration": 0,
           "kind": "event",
           "type": [
@@ -109,7 +108,6 @@
             "network_traffic",
             "network"
           ],
-          "created": "2018-04-18T08:16:47Z",
           "duration": 0,
           "kind": "event",
           "type": [

diff --git a/x-pack/filebeat/input/netflow/testdata/golden/IPFIX-Barracuda-firewall.golden.json b/x-pack/filebeat/input/netflow/testdata/golden/IPFIX-Barracuda-firewall.golden.json
@@ -16,7 +16,6 @@
             "network_traffic",
             "network"
           ],
-          "created": "2017-06-29T13:58:28Z",
           "duration": 20269000000,
           "kind": "event",
           "type": [
@@ -97,7 +96,6 @@
             "network_traffic",
             "network"
           ],
-          "created": "2017-06-29T13:58:28Z",
           "duration": 20269000000,
           "kind": "event",
           "type": [
@@ -178,7 +176,6 @@
             "network_traffic",
             "network"
           ],
-          "created": "2017-06-29T13:58:28Z",
           "duration": 20306000000,
           "kind": "event",
           "type": [
@@ -259,7 +256,6 @@
             "network_traffic",
             "network"
           ],
-          "created": "2017-06-29T13:58:28Z",
           "duration": 20306000000,
           "kind": "event",
           "type": [
@@ -340,7 +336,6 @@
             "network_traffic",
             "network"
           ],
-          "created": "2017-06-29T13:58:28Z",
           "duration": 20317000000,
           "kind": "event",
           "type": [
@@ -421,7 +416,6 @@
             "network_traffic",
             "network"
           ],
-          "created": "2017-06-29T13:58:28Z",
           "duration": 20317000000,
           "kind": "event",
           "type": [
@@ -502,7 +496,6 @@
             "network_traffic",
             "network"
           ],
-          "created": "2017-06-29T13:58:28Z",
           "duration": 20368000000,
           "kind": "event",
           "type": [
@@ -583,7 +576,6 @@
             "network_traffic",
             "network"
           ],
-          "created": "2017-06-29T13:58:28Z",
           "duration": 20368000000,
           "kind": "event",
           "type": [