Add 21 autogenerated filesets from rsa2elk devices

[adriansr]

What does this PR do?

This adds the following experimental filesets based on Apache 2 license device parsers:

• tomcat.log (from apachetomcat)
• netscout.sightline (from arborpeakflowsp)
• barracuda.waf (from barracudawaf)
• f5.bigipapm (from bigipapm)
• bluecoat.director (from bluecoatdirector)
• cisco.nexus (from cisconxos)
• citrix.virtualapps (from citrixxa)
• cylance.protect (from cylance)
• f5.firepass (from firepass)
• fortinet.clientendpoint (from forticlientendpoint)
• imperva.securesphere (from impervawaf)
• infoblox.nios (from infobloxnios)
• juniper.junos (from junosrouter)
• kaspersky.av (from kasperskyav)
• microsoft.dhcp (from msdhcp)
• tenable.nessus_security (from nessusvs)
• rapid7.nexpose (from nexpose)
• radware.defensepro (from radwaredp)
• sonicwall.firewall (from sonicwall)
• squid.log (from squid)
• zscaler.zia (from zscalernss)

Why is it important?

This is an effort to generate as many as possible experimental input sources from a set of 300 Apache2-licensed log parsers.

Checklist

• My code follows the style guidelines of this project
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• I have made corresponding change to the default configuration files
• I have added tests that prove my fix is effective or that my feature works
• I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Notes to reviewers

The modules in this PR are autogenerated. All follow the same format:

sonicwall/
├── README.md
├── _meta
│   ├── config.yml
│   ├── docs.asciidoc
│   └── fields.yml
└── firewall
    ├── _meta
    │   └── fields.yml
    ├── config
    │   ├── input.yml
    │   ├── liblogparser.js
    │   └── pipeline.js
    ├── ingest
    │   └── pipeline.yml
    ├── manifest.yml
    └── test
        ├── generated.log
        └── generated.log-expected.json

The README.md, config.yml, docs.asciidoc and fields.yml are the same, basically replacing the module/vendor/product name.

Same for input.yml and manifest.yml. They define the same variables and inputs (tcp, udp and file).

The generated.log files are autogenerated by the same program that converts the original XML files to Javascript. Generating logs using parser's patterns (some with overlap) and user-defined field names is hard. Some generated logs make more sense than others.

A few selected modules contain real logs that we were able to obtain from other sources. Currently:

• squid
• zscaler

The liblogparser.js is the helper Javascript library for the parser. It's important to review this file. It's the same for all filesets.

The pipeline.js is the autogenerated pipeline. Contains all the parsers and actions defined in the source XML. We're aware that some of these parsers are outdated and some partly broken regarding extra whitespace in patterns. There will be an ongoing effort to fix them.

A couple of modules already existed:

• cisco (new fileset nexus)
• fortinet (new fileset clientendpoint)

In this case the _meta/config.yml and _meta/docs.asciidoc have been merged automatically.

---

Some parsers are currently broken (have tags: dissect_parsing_error). I'm working on fixing those.

---

The code for the generator is in https://github.com/adriansr/nwdevice2filebeat

[elasticmachine]

Pinging @elastic/siem (Team:SIEM)

[elasticmachine]

💔 Tests Failed

Expand to view the summary

Build stats

• Build Cause: [Pull request #19713 updated]

• Start Time: 2020-07-13T22:08:53.798+0000

• Duration: 74 min 25 sec

Test stats 🧪

Test	Results
Failed	12
Passed	8532
Skipped	1572
Total	10116

Test errors

Expand to view the tests failures

• Name: Build and Test / Libbeat / Libbeat oss / test_dev_tool_export_dashboard_by_id – test_dashboard.Test

  • Age: 1
  • Duration: 0.195
  • Error Details: Expected exit code to be 0, but it was 1

• Name: Build and Test / Libbeat / Libbeat oss / test_dev_tool_export_dashboard_by_id_from_space – test_dashboard.Test

  • Age: 1
  • Duration: 0.009
  • Error Details: HTTPConnectionPool(host='kibana', port=5601): Max retries exceeded with url: /api/status (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7f533c8b9588>: Failed to establish a new connection: [Errno -2] Name or service not known'))

• Name: Build and Test / Libbeat / Libbeat oss / test_dev_tool_export_dashboard_from_yml – test_dashboard.Test

  • Age: 1
  • Duration: 0.158
  • Error Details: Expected exit code to be 0, but it was 1

• Name: Build and Test / Libbeat / Libbeat oss / test_export_dashboard_cmd_export_dashboard_by_id – test_dashboard.Test

  • Age: 1
  • Duration: 0.215
  • Error Details: Expected exit code to be 0, but it was 1

• Name: Build and Test / Libbeat / Libbeat oss / test_export_dashboard_cmd_export_dashboard_by_id_and_decoding – test_dashboard.Test

  • Age: 1
  • Duration: 0.193
  • Error Details: Expected exit code to be 0, but it was 1

• Name: Build and Test / Libbeat / Libbeat oss / test_export_dashboard_cmd_export_dashboard_by_id_unknown_id – test_dashboard.Test

  • Age: 1
  • Duration: 0.237
  • Error Details:

• Name: Build and Test / Libbeat / Libbeat oss / test_export_dashboard_cmd_export_dashboard_from_not_existent_yml – test_dashboard.Test

  • Age: 1
  • Duration: 0.198
  • Error Details:

• Name: Build and Test / Libbeat / Libbeat oss / test_export_dashboard_cmd_export_dashboard_from_yml – test_dashboard.Test

  • Age: 1
  • Duration: 0.141
  • Error Details: Expected exit code to be 0, but it was 1

• Name: Build and Test / Libbeat / Libbeat oss / test_load_dashboard – test_dashboard.Test

  • Age: 1
  • Duration: 0.13
  • Error Details: Expected exit code to be 0, but it was 1

• Name: Build and Test / Libbeat / Libbeat oss / test_load_dashboard_into_space – test_dashboard.Test

  • Age: 1
  • Duration: 0.021
  • Error Details: HTTPConnectionPool(host='kibana', port=5601): Max retries exceeded with url: /api/status (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7f533c8e4e10>: Failed to establish a new connection: [Errno -2] Name or service not known'))

• Name: Build and Test / Libbeat / Libbeat oss / test_load_only_index_patterns – test_dashboard.Test

  • Age: 1
  • Duration: 0.187
  • Error Details: Expected exit code to be 0, but it was 1

• Name: Build and Test / Libbeat / Libbeat oss / test_load_without_dashboard – test_dashboard.Test

  • Age: 1
  • Duration: 0.136
  • Error Details: Expected exit code to be 0, but it was 1

Steps errors

Expand to view the steps failures

• Name: Make -C filebeat testsuite

  • Description: make -C filebeat testsuite

  • Duration: 7 min 2 sec

  • Start Time: 2020-07-13T22:32:10.368+0000

  • log

• Name: Mage update build test

  • Description: mage update build test

  • Duration: 5 min 5 sec

  • Start Time: 2020-07-13T22:32:07.963+0000

  • log

• Name: Make -C auditbeat testsuite

  • Description: make -C auditbeat testsuite

  • Duration: 8 min 31 sec

  • Start Time: 2020-07-13T22:32:15.890+0000

  • log

• Name: Report to Codecov

  • Description: curl -sSLo codecov https://codecov.io/bash for i in auditbeat filebeat heartbeat libbeat metricbeat packetbeat winlogbeat journalbeat do FILE="${i}/build/coverage/full.cov" if [ -f "${FILE}" ]; then bash codecov -f "${FILE}" fi done

  • Duration: 2 min 22 sec

  • Start Time: 2020-07-13T22:39:48.828+0000

  • log

• Name: Report to Codecov

  • Description: curl -sSLo codecov https://codecov.io/bash for i in auditbeat filebeat heartbeat libbeat metricbeat packetbeat winlogbeat journalbeat do FILE="${i}/build/coverage/full.cov" if [ -f "${FILE}" ]; then bash codecov -f "${FILE}" fi done

  • Duration: 2 min 22 sec

  • Start Time: 2020-07-13T22:42:10.671+0000

  • log

• Name: Report to Codecov

  • Description: curl -sSLo codecov https://codecov.io/bash for i in auditbeat filebeat heartbeat libbeat metricbeat packetbeat winlogbeat journalbeat do FILE="${i}/build/coverage/full.cov" if [ -f "${FILE}" ]; then bash codecov -f "${FILE}" fi done

  • Duration: 1 min 27 sec

  • Start Time: 2020-07-13T22:33:31.180+0000

  • log

• Name: Report to Codecov

  • Description: curl -sSLo codecov https://codecov.io/bash for i in auditbeat filebeat heartbeat libbeat metricbeat packetbeat winlogbeat journalbeat do FILE="${i}/build/coverage/full.cov" if [ -f "${FILE}" ]; then bash codecov -f "${FILE}" fi done

  • Duration: 0 min 9 sec

  • Start Time: 2020-07-13T22:33:38.126+0000

  • log

• Name: Make -C libbeat testsuite

  • Description: make -C libbeat testsuite

  • Duration: 37 min 52 sec

  • Start Time: 2020-07-13T22:32:12.279+0000

  • log

• Name: Make -C x-pack/libbeat testsuite

  • Description: make -C x-pack/libbeat testsuite

  • Duration: 6 min 6 sec

  • Start Time: 2020-07-13T22:32:06.768+0000

  • log

• Name: Report to Codecov

  • Description: curl -sSLo codecov https://codecov.io/bash for i in auditbeat filebeat heartbeat libbeat metricbeat packetbeat winlogbeat journalbeat do FILE="${i}/build/coverage/full.cov" if [ -f "${FILE}" ]; then bash codecov -f "${FILE}" fi done

  • Duration: 1 min 27 sec

  • Start Time: 2020-07-13T22:36:44.289+0000

  • log

• Name: Make -C packetbeat testsuite

  • Description: make -C packetbeat testsuite

  • Duration: 7 min 1 sec

  • Start Time: 2020-07-13T22:32:13.394+0000

  • log

• Name: Make -C generator/_templates/metricbeat test-package

  • Description: make -C generator/_templates/metricbeat test-package

  • Duration: 8 min 36 sec

  • Start Time: 2020-07-13T22:35:24.684+0000

  • log

Log output

Expand to view the last 100 lines of log output

[2020-07-13T23:22:50.509Z] + FILE=libbeat/build/coverage/full.cov
[2020-07-13T23:22:50.509Z] + [ -f libbeat/build/coverage/full.cov ]
[2020-07-13T23:22:50.509Z] + FILE=metricbeat/build/coverage/full.cov
[2020-07-13T23:22:50.509Z] + [ -f metricbeat/build/coverage/full.cov ]
[2020-07-13T23:22:50.509Z] + FILE=packetbeat/build/coverage/full.cov
[2020-07-13T23:22:50.509Z] + [ -f packetbeat/build/coverage/full.cov ]
[2020-07-13T23:22:50.509Z] + FILE=winlogbeat/build/coverage/full.cov
[2020-07-13T23:22:50.509Z] + [ -f winlogbeat/build/coverage/full.cov ]
[2020-07-13T23:22:50.509Z] + FILE=journalbeat/build/coverage/full.cov
[2020-07-13T23:22:50.509Z] + [ -f journalbeat/build/coverage/full.cov ]
[2020-07-13T23:22:51.015Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19713/src/github.com/elastic/beats
[2020-07-13T23:22:51.318Z] + find . -type f -name TEST*.xml -path */build/* -delete
[2020-07-13T23:22:51.330Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19713/src/github.com/elastic/beats/Lint
[2020-07-13T23:22:51.411Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19713/src/github.com/elastic/beats/Elastic-Agent-Mac-OS-X
[2020-07-13T23:22:51.489Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19713/src/github.com/elastic/beats/Elastic-Agent-x-pack
[2020-07-13T23:22:51.564Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19713/src/github.com/elastic/beats/Auditbeat-oss-Mac-OS-X
[2020-07-13T23:22:51.637Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19713/src/github.com/elastic/beats/Winlogbeat-oss
[2020-07-13T23:22:51.712Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19713/src/github.com/elastic/beats/Auditbeat-x-pack-Mac-OS-X
[2020-07-13T23:22:51.792Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19713/src/github.com/elastic/beats/Auditbeat-crosscompile
[2020-07-13T23:22:51.869Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19713/src/github.com/elastic/beats/Dockerlogbeat
[2020-07-13T23:22:51.942Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19713/src/github.com/elastic/beats/Generators-Metricbeat-Linux
[2020-07-13T23:22:52.040Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19713/src/github.com/elastic/beats/Journalbeat-oss
[2020-07-13T23:22:52.113Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19713/src/github.com/elastic/beats/Functionbeat-x-pack
[2020-07-13T23:22:52.189Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19713/src/github.com/elastic/beats/Metricbeat-Mac-OS-X
[2020-07-13T23:22:52.285Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19713/src/github.com/elastic/beats/Filebeat-x-pack-Mac-OS-X
[2020-07-13T23:22:52.385Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19713/src/github.com/elastic/beats/Metricbeat-x-pack-Mac-OS-X
[2020-07-13T23:22:52.462Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19713/src/github.com/elastic/beats/Filebeat-x-pack
[2020-07-13T23:22:52.542Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19713/src/github.com/elastic/beats/Elastic-Agent-x-pack-Windows
[2020-07-13T23:22:52.617Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19713/src/github.com/elastic/beats/Metricbeat-OSS-Unit-tests
[2020-07-13T23:22:52.690Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19713/src/github.com/elastic/beats/Libbeat-x-pack
[2020-07-13T23:22:52.794Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19713/src/github.com/elastic/beats/Filebeat-oss
[2020-07-13T23:22:52.888Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19713/src/github.com/elastic/beats/Packetbeat-oss
[2020-07-13T23:22:52.966Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19713/src/github.com/elastic/beats/Auditbeat-oss-Linux
[2020-07-13T23:22:53.039Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19713/src/github.com/elastic/beats/Auditbeat-x-pack
[2020-07-13T23:22:53.117Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19713/src/github.com/elastic/beats/Auditbeat-oss-Windows
[2020-07-13T23:22:53.196Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19713/src/github.com/elastic/beats/Auditbeat-x-pack-Windows
[2020-07-13T23:22:53.283Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19713/src/github.com/elastic/beats/Winlogbeat-Windows-x-pack
[2020-07-13T23:22:53.362Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19713/src/github.com/elastic/beats/Filebeat-x-pack-Windows
[2020-07-13T23:22:53.440Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19713/src/github.com/elastic/beats/Filebeat-Mac-OS-X
[2020-07-13T23:22:53.519Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19713/src/github.com/elastic/beats/Metricbeat-crosscompile
[2020-07-13T23:22:53.593Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19713/src/github.com/elastic/beats/Heartbeat-oss
[2020-07-13T23:22:53.668Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19713/src/github.com/elastic/beats/Filebeat-Windows
[2020-07-13T23:22:53.741Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19713/src/github.com/elastic/beats/Winlogbeat-Windows
[2020-07-13T23:22:53.822Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19713/src/github.com/elastic/beats/Functionbeat-Mac-OS-X-x-pack
[2020-07-13T23:22:53.897Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19713/src/github.com/elastic/beats/Heartbeat-Mac-OS-X
[2020-07-13T23:22:53.971Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19713/src/github.com/elastic/beats/Metricbeat-x-pack-Windows
[2020-07-13T23:22:54.043Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19713/src/github.com/elastic/beats/Metricbeat-Windows
[2020-07-13T23:22:54.119Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19713/src/github.com/elastic/beats/Functionbeat-Windows
[2020-07-13T23:22:54.226Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19713/src/github.com/elastic/beats/Heartbeat-Windows
[2020-07-13T23:22:54.308Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19713/src/github.com/elastic/beats/Libbeat-oss
[2020-07-13T23:22:54.394Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19713/src/github.com/elastic/beats/Metricbeat-Python-integration-tests
[2020-07-13T23:22:54.481Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19713/src/github.com/elastic/beats/Metricbeat-OSS-Integration-tests
[2020-07-13T23:22:54.564Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19713/src/github.com/elastic/beats/Metricbeat-x-pack
[2020-07-13T23:22:54.938Z] + cat
[2020-07-13T23:22:54.938Z] + /usr/local/bin/runbld ./runbld-script
[2020-07-13T23:22:54.938Z] Picked up JAVA_TOOL_OPTIONS: -Dfile.encoding=UTF8
[2020-07-13T23:23:01.523Z] runbld>>> runbld started
[2020-07-13T23:23:01.523Z] runbld>>> 1.6.12/f45d832f2ba0aa2722ab4ec1fda8ad140f027f8b
[2020-07-13T23:23:02.906Z] runbld>>> The following profiles matched the job 'Beats/beats/PR-19713' in order of occurrence in the config (last value wins).
[2020-07-13T23:23:04.289Z] runbld>>> Debug logging enabled.
[2020-07-13T23:23:04.289Z] runbld>>> Storing result
[2020-07-13T23:23:04.289Z] runbld>>> Store result: created {:total 2, :successful 2, :failed 0} 1
[2020-07-13T23:23:04.289Z] runbld>>> BUILD: https://c150076387b5421f9154dfbf536e5c60.us-west1.gcp.cloud.es.io:9243/build-1587637540455/t/20200713232303-E151C80A
[2020-07-13T23:23:04.289Z] runbld>>> Adding system facts.
[2020-07-13T23:23:05.233Z] runbld>>> Adding vcs info for the latest commit:  bdf37be9d837f886ae31589ba23761953d7edd49
[2020-07-13T23:23:05.233Z] runbld>>> >>>>>>>>>>>> SCRIPT EXECUTION BEGIN >>>>>>>>>>>>
[2020-07-13T23:23:05.233Z] runbld>>> Adding /usr/lib/jvm/java-8-openjdk-amd64/bin to the path.
[2020-07-13T23:23:05.233Z] Processing JUnit reports with runbld...
[2020-07-13T23:23:05.233Z] + echo 'Processing JUnit reports with runbld...'
[2020-07-13T23:23:05.497Z] runbld>>> <<<<<<<<<<<< SCRIPT EXECUTION END <<<<<<<<<<<<
[2020-07-13T23:23:05.497Z] runbld>>> DURATION: 19ms
[2020-07-13T23:23:05.497Z] runbld>>> STDOUT: 40 bytes
[2020-07-13T23:23:05.497Z] runbld>>> STDERR: 49 bytes
[2020-07-13T23:23:05.497Z] runbld>>> WRAPPED PROCESS: SUCCESS (0)
[2020-07-13T23:23:05.497Z] runbld>>> Searching for build metadata in /var/lib/jenkins/workspace/Beats_beats_PR-19713/src/github.com/elastic/beats
[2020-07-13T23:23:06.439Z] runbld>>> Storing build metadata: 
[2020-07-13T23:23:06.439Z] runbld>>> Adding test report.
[2020-07-13T23:23:06.439Z] runbld>>> Searching for junit test output files with the pattern: TEST-.*\.xml$ in: /var/lib/jenkins/workspace/Beats_beats_PR-19713/src/github.com/elastic/beats
[2020-07-13T23:23:07.379Z] runbld>>> Found 109 test output files
[2020-07-13T23:23:07.953Z] runbld>>> No testsuite node found in /var/lib/jenkins/workspace/Beats_beats_PR-19713/src/github.com/elastic/beats/Metricbeat-x-pack/x-pack/metricbeat/build/TEST-go-integration-istio.xml
[2020-07-13T23:23:07.953Z] runbld>>> No testsuite node found in /var/lib/jenkins/workspace/Beats_beats_PR-19713/src/github.com/elastic/beats/Metricbeat-x-pack/x-pack/metricbeat/build/TEST-go-integration-tomcat.xml
[2020-07-13T23:23:07.953Z] runbld>>> No testsuite node found in /var/lib/jenkins/workspace/Beats_beats_PR-19713/src/github.com/elastic/beats/Metricbeat-x-pack/x-pack/metricbeat/build/TEST-go-integration-iis.xml
[2020-07-13T23:23:07.953Z] runbld>>> No testsuite node found in /var/lib/jenkins/workspace/Beats_beats_PR-19713/src/github.com/elastic/beats/Metricbeat-x-pack/x-pack/metricbeat/build/TEST-go-integration-openmetrics.xml
[2020-07-13T23:23:07.953Z] runbld>>> No testsuite node found in /var/lib/jenkins/workspace/Beats_beats_PR-19713/src/github.com/elastic/beats/Metricbeat-x-pack/x-pack/metricbeat/build/TEST-go-integration-activemq.xml
[2020-07-13T23:23:09.339Z] runbld>>> No testsuite node found in /var/lib/jenkins/workspace/Beats_beats_PR-19713/src/github.com/elastic/beats/Metricbeat-OSS-Integration-tests/metricbeat/build/TEST-go-integration-graphite.xml
[2020-07-13T23:23:09.339Z] runbld>>> No testsuite node found in /var/lib/jenkins/workspace/Beats_beats_PR-19713/src/github.com/elastic/beats/Metricbeat-OSS-Integration-tests/metricbeat/build/TEST-go-integration-windows.xml
[2020-07-13T23:23:09.339Z] runbld>>> Test output logs contained: Errors: 2 Failures: 10 Tests: 9970 Skipped: 1334
[2020-07-13T23:23:09.600Z] runbld>>> Storing result
[2020-07-13T23:23:09.600Z] runbld>>> FAILURES: 12
[2020-07-13T23:23:12.165Z] runbld>>> Store result: updated {:total 2, :successful 2, :failed 0} 2
[2020-07-13T23:23:12.165Z] runbld>>> BUILD: https://c150076387b5421f9154dfbf536e5c60.us-west1.gcp.cloud.es.io:9243/build-1587637540455/t/20200713232303-E151C80A
[2020-07-13T23:23:12.165Z] runbld>>> Email notification disabled by environment variable.
[2020-07-13T23:23:12.165Z] runbld>>> Slack notification disabled by environment variable.
[2020-07-13T23:23:17.918Z] Running on Jenkins in /var/lib/jenkins/workspace/Beats_beats_PR-19713
[2020-07-13T23:23:18.017Z] [INFO] getVaultSecret: Getting secrets
[2020-07-13T23:23:18.086Z] Masking supported pattern matches of $VAULT_ADDR or $VAULT_ROLE_ID or $VAULT_SECRET_ID
[2020-07-13T23:23:18.796Z] + chmod 755 generate-build-data.sh
[2020-07-13T23:23:18.796Z] + ./generate-build-data.sh https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats/PR-19713/ https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats/PR-19713/runs/6 FAILURE 4464738
[2020-07-13T23:23:18.796Z] INFO: curl https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats/PR-19713/runs/6/steps/?limit=10000 -o steps-info.json
[2020-07-13T23:23:20.139Z] INFO: curl https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats/PR-19713/runs/6/tests/?status=FAILED -o tests-errors.json

[andrewstucki]

Did an initial scan through the first 1/3 or so of mappings. Awesome work @adriansr! This might take awhile to get through though :(

Made some comments on the field mappings, but most important changes IMO right now are:

1. Drop the event.category fields for now since they're not currently mapping to ECS-allowed values
2. user.name should be treated as a string rather than an array--dump everything under related.user that's currently under user.name and then, if we have time we can figure out which of the referenced user belongs under user.name.

[andrewstucki]

this doesn't look right, the content field would be the raw bytes of the jpeg in this case, so not something we'd fill in since it's binary data

[adriansr]

This is the field webpage, mapped to http.response.body.content. I don't think any parser is going to capture the full body of a request, so we might as well not map this field to ECS, as there is no field for the document name. Maybe file.name? @webmat WDYT?

[leehinman]

Wow. Amazing work.

[leehinman]

should the ips, ports, proto & service be parsed out? seems odd that it isn't.

[leehinman]

event.outcome should be lowercase "success"

[leehinman]

Is this right?, looks off with the [

[adriansr]

There's something off in this parser or the log generator. I will check

[leehinman]

is the dissect failing? seems odd we aren't getting src & dst fields out of this.

[adriansr]

fixed

[leehinman]

seems odd that the event_time_str field is populated with a number.

[adriansr]

Yep, that's how this parser is defined. squid uses UNIX timestamps, which is captured it in event_time_str (raw). That is used to populate event_time and @timestamp.

[leehinman]

very minor. I'm assuming "-" means no user name. can we skip if "-"?

[leehinman]

seems odd that these fields have full url

[adriansr]

It's a bit odd. This parser is capturing the full URL and setting fqdn to that. There's a method to extract the FQDN from an URL, but it's not using it for some reason.

[adriansr]

@leehinman @andrewstucki I think I've addressed all the issues I could. Thanks a lot for your feedback, it's helping to add a lot of improvement.

[tsg]

I have reviewed the generated docs and scanned the rest. 👍

[leehinman]

Might be a problem with the original parsers. I think "tur" is the timezone, not a duration.

[adriansr]

Merged using admin privileges due to CI flakiness. All tests passing in my computer.