[Filebeat] Add Shorewall module #12199
Conversation
|
Hi @mdelapenya, we have found your signature in our records, but it seems like you have signed with a different e-mail than the one used in your Git commit. Can you please add both of these e-mails into your Github profile (they can be hidden), so we can match your e-mails to your Github profile? |
mdelapenya
force-pushed
the
shorewall-module
branch
from
feda3ef
to
6de26c5
Compare
sayden
changed the title
sayden
added
Team:Integrations
sayden
changed the title
There was a problem hiding this comment.
Thanks for contributing with this 🙂 A handful of changes are needed and CI didn't pass the quick test. (probably a make update in beats/filebeat folder is missing and / or a mage fmt update in x-pack/filebeat folder. Overall looks good but expect more changes after you submit the changes indicated now and / or after making CI green
| Shorewal log files | ||
| fields: | ||
| - name: in | ||
| type: keywork |
There was a problem hiding this comment.
Description of fields is "mandatory" and "extended" even if the potential target user is a Shorewall expert
| @@ -0,0 +1 @@ | |||
| May 28 17:23:25 myHost kernel: [3124658.791874] Shorewall:FORWARD:REJECT:IN=eth2 OUT=eth2 SRC=1.2.3.4 DST=1.2.3.4 LEN=141 TOS=0x00 PREC=0x00 TTL=63 ID=55251 PROTO=UDP SPT=5353 DPT=5353 LEN=121 | |||
There was a problem hiding this comment.
It will be nice to have a handful more example lines with different configurations to avoid "happy paths". I guess that this line is the default logging configuration but Filebeat must be able to handle also missing fields. For example, I don't know if it's possible that OUT=eth2 appears as OUT= if no interface is defined as out or it will simply dissapear from the line.
| Shorewal network log files | ||
| fields: | ||
| - name: one | ||
| type: keywork |
There was a problem hiding this comment.
The actions look like keyword indeed, good catch!
There was a problem hiding this comment.
I'm possibly going to change them...
| }, | ||
| { | ||
| "date": { | ||
| "field": "timestamp", |
There was a problem hiding this comment.
Timezone is missing. Here you need the convert timezone plugin. Check another module for guidance about how to use it (or this PR #12079), it will make the document non JSON valid but this is expected when using the convert timezone plugin
mdelapenya
force-pushed
the
shorewall-module
branch
from
6de26c5
to
c3693ae
Compare
andresrc
added
[zube]: In Review
[zube]: In Progress
and removed
[zube]: In Review
labels
| description: > | ||
| Shorewal log files | ||
| fields: | ||
| - name: in |
There was a problem hiding this comment.
does this map to source.bytes and destination.bytes? https://www.elastic.co/guide/en/ecs/current/ecs-source.html
There was a problem hiding this comment.
I'm currently looking into it!
| default: | ||
| - /var/log/shorewall.log | ||
| os.darwin: | ||
| - /usr/local/example/test.log* |
There was a problem hiding this comment.
If we don't know the paths for darwin / windows lets rather remove it.
There was a problem hiding this comment.
My fault, removing those now
Run make create-module MODULE=shorewall from the X-Pack's filebeat root directory
…the file to parse (the shorewall log)
It reuses existing Logstash pattern: https://github.com/logstash-plugins/logstash-patterns-core/blob/master/patterns/firewalls#L87
The command used to execute the tests is: TESTING_FILEBEAT_MODULES=shorewall INTEGRATION_TESTS=1 GENERATE=1 BEAT_STRICT_PERMS=false nosetests -v -d -s tests/system/test_modules.py
This change is required because the test execution is the responsible of generating the expected output for tests, which seems a bit weird from testing prespective to run a test to obtains the expected output. Maybe adding a check phase for this validation could help
I followed NATS example, so that here I define the parent field froup (shorewall) and the children fields will be defined at the fileset level
The LEN field represents "Total length of IP packet in bytes"
This command will:
- format and normalise code
- include new module into the existing list of Filebeat modules
… include new module into the existing list of Filebeat modules
We found a bug in mage when collecting fields from x-path modules
mdelapenya
force-pushed
the
shorewall-module
branch
2 times, most recently
from
c5947c2
to
48e92fd
Compare
mdelapenya
force-pushed
the
shorewall-module
branch
from
ba014d5
to
146485d
Compare
There was a problem hiding this comment.
Skimmed through it and left some high level comments. Didn't deep dive into it yet as I see it's still in progress.
I wonder if you could also open an issue with the module Github issue template so we don't forget about other things for it like the Add Data UI which will not happen in this PR.
| description: > | ||
| Reserved bits. The ECN flags "CWR" and "ECNE" will show up in the two | ||
| least significant bits of this field. | ||
| - name: time1 |
There was a problem hiding this comment.
I'm gonna change this, as that [x.y] is the timestamp coming from kernel
| [float] | ||
| === Compatibility | ||
|
|
||
| TODO: document with what versions of the software is this tested |
There was a problem hiding this comment.
The TODO should be completed or removed
| description: > | ||
| Fields from Shorewall logs. | ||
| fields: | ||
| - name: network |
There was a problem hiding this comment.
@webmat Potentially useful for ECS?
| @@ -0,0 +1,3 @@ | |||
| dashboards: | |||
There was a problem hiding this comment.
As I don't see dashboards in this PR (yet?) this should probably be removed.
|
Related to #12238 |
|
I'm gonna close this, as it's staled. Reopening if needed |
I contributed Logstash patterns a few years ago (https://github.com/logstash-plugins/logstash-patterns-core/blob/master/patterns/firewalls#L86-L88), and wanted to migrate it following a more modern Beats approach.
Besides that, as part of the automation team, I wanted to know how a developer feels when contributing a new module to the project, trying to infer the pain points during the dev process, with the end goal of improving it within build & automation.
Type of change
What does this PR do?
This PR adds a filebeat module for Shorewall a Linux firewall, which follows
Net Filterpattern for logging messages (Please see http://logi.cc/en/2010/07/netfilter-log-format/)Why is this PR important?
This PR adds a new filebeat module, which is great in terms of contribution, but also adds a seed about a very basic tutorial or blog post about how to create a filebeat module from scratch.
Alongside, the PR is trying to represent a canonical manner of creating a new filebeat module. Therefore, all commits in here are written in a very isolated and educational manner, making easier to follow their history by reading commit messages from the initial one to the latest one. For that reason I tried to explain on each of them the rationale for that specific commit.
Development checklist
Main concerns about the development process in terms of dev experience
I tried to follow the tutorials but failed (my fault, it could have been a RTFM issue). I googled "create filebeat module" and clicked on the first result: https://www.elastic.co/guide/en/beats/devguide/current/filebeat-modules-devguide.html. Then I started following the steps in there. But failed at the very beginning when I had to create a
fileset:$ make create-fileset MODULE=shorewall FILESET=XXX'At that point of the guide, it's not explained what a fileset is. I'm super lucky to have @sayden in the team so I hijacked him and his knowledge to help me during the entire process. That's why I completely skipped the tutorial at all (my RTFM fault again 😞).
Here I list with more topics that caused me trouble:
make unitto run just the unit tests.make testsuiteis an all-or-nothing approach, which takes a lot (more than 30 mins?).beats.pyto be able to run the tests. In my mind, autogenerating a expected output must not be blocked by those checks, because it's autogenerated. I could have evolved it with every documentation iteration, but failed to it.%{SHOREWALL}keyword into the grok pattern and voilà! But no, I had to copy the representation of it, and parse it manually._meta/fields.ymlapproach to define fields. Also understanding that each fileset has its own fields.yml, which is superseeded by the parent one was not clear. I had to copy NATS module descriptors for that, and groomed/pruned what I need.network.interface.inandnetwork.interface.out, that's why I have to add customshorewall.network.in/out.