New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cherry-pick #20138 to 7.x: [Filebeat] Update crowdstrike module #20176

Merged

andrewstucki merged 2 commits into elastic:7.x from andrewstucki:backport_20138_7.x

Jul 23, 2020

andrewstucki commented Jul 23, 2020 •

edited by zube bot

Loading

Cherry-pick of PR #20138 to 7.x branch. Original message:

What does this PR do?

I've been in the crowdstrike module recently anyway and noticed that there was an open issue reporting some parsing errors. I went ahead and just added some fixes for them.

One thing to note--due to normalizing all timestamps to UNIX_MS this is technically a breaking change. Do we want to be more conservative about the normalization?

Checklist

My code follows the style guidelines of this project
~~[ ] I have commented my code, particularly in hard-to-understand areas~~
~~[ ] I have made corresponding changes to the documentation~~
~~[ ] I have made corresponding change to the default configuration files~~
I have added tests that prove my fix is effective or that my feature works
I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Related issues

Closes Crowdstrike Filebeat Module: Parsing Issues #20035


          [Filebeat] Update crowdstrike module (elastic#20138)

af470f8

* Update crowdstrike module

(cherry picked from commit 5e9a3a5)

andrewstucki added [zube]: In Review backport Team:SIEM labels

Collaborator

elasticmachine commented Jul 23, 2020

Pinging @elastic/siem (Team:SIEM)

botelastic bot added needs_team and removed needs_team labels


          Fix up changelog

b8e60bf

Collaborator

elasticmachine commented Jul 23, 2020 •

edited by jenkins-beats-ci bot

Loading

💔 Tests Failed

Expand to view the summary

Build stats

Build Cause: [Pull request #20176 updated]
Start Time: 2020-07-23T03:04:56.077+0000
Duration: 58 min 1 sec

Test stats 🧪

Test	Results
Failed	19
Passed	4247
Skipped	685
Total	4951

Test errors

Expand to view the tests failures

Name: Build and Test / Filebeat x-pack / test_fileset_file_056_o365 – test_xpack_modules.XPackTest
- Age: 1
- Duration: 3.688
- Error Details: The following expected object doesn't match:
  Diff:
  {'values_changed': {"root['user_agent.device.name']": {'new_value': 'Mac', 'old_value': 'Other'}}}, full object:
  {'log.offset': 0, 'source.geo.continent_name': 'Europe', 'source.geo.region_iso_code': 'ES-B', 'source.geo.city_name': 'Barcelona', 'source.geo.country_iso_code': 'ES', 'source.geo.region_name': 'Barcelona', 'source.geo.location.lon': 2.1611, 'source.geo.location.lat': 41.3891, 'source.as.number': 3352, 'source.as.organization.name': 'Telefonica De Espana', 'source.ip': '213.97.47.133', 'network.type': 'ipv4', 'o365.audit.Site': 'd5180cfc-3479-44d6-b410-8c985ac894e3', 'o365.audit.ObjectId': 'https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot 2020-01-27 at 11.30.48.png', 'o365.audit.SourceFileName': 'Screenshot 2020-01-27 at 11.30.48.png', 'o365.audit.ItemType': 'File', 'o365.audit.UserKey': 'i:0h.f|membership|[email protected]', 'o365.audit.SiteUrl': 'https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/', 'o365.audit.Operation': 'FileDeleted', 'o365.audit.OrganizationId': 'b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd', 'o365.audit.SourceFileExtension': 'png', 'o365.audit.ClientIP': '213.97.47.133', 'o365.audit.Workload': 'OneDrive', 'o365.audit.SourceRelativeUrl': 'Documents', 'o365.audit.EventSource': 'SharePoint', 'o365.audit.ListId': '2b6ad2bd-0fd7-4556-9c89-a97847085b85', 'o365.audit.RecordType': 6, 'o365.audit.Version': 1, 'o365.audit.WebId': '8c5c94bb-8396-470c-87d7-8999f440cd30', 'o365.audit.UserId': '[email protected]', 'o365.audit.CreationTime': '2020-02-07T16:44:07', 'o365.audit.UserAgent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0', 'o365.audit.Id': 'ec04aa09-0a43-4879-cdc8-08d7abecf327', 'o365.audit.CorrelationId': '652b339f-908c-a000-f25f-91423da7dd9b', 'o365.audit.UserType': 0, 'o365.audit.ListItemUniqueId': '4803608a-df7d-4f63-aa73-67aa33bb576e', 'file.extension': 'png', 'file.name': 'Screenshot 2020-01-27 at 11.30.48.png', 'file.directory': 'Documents', 'related.ip': '213.97.47.133', 'related.user': 'asr', 'host.name': 'testsiem.onmicrosoft.com', 'host.id': 'b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd', 'client.address': '213.97.47.133', 'client.ip': '213.97.47.133', 'event.code': 'SharePointFileOperation', 'event.provider': 'OneDrive', 'event.kind': 'event', 'event.module': 'o365', 'event.action': 'FileDeleted', 'event.id': 'ec04aa09-0a43-4879-cdc8-08d7abecf327', 'event.category': 'file', 'event.type': 'deletion', 'event.dataset': 'o365.audit', 'event.outcome': 'success', 'user_agent.original': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0', 'user_agent.os.name': 'Mac OS X', 'user_agent.os.version': '10.14', 'user_agent.os.full': 'Mac OS X 10.14', 'user_agent.name': 'Firefox', 'user_agent.device.name': 'Mac', 'user_agent.version': '72.0.', 'fileset.name': 'audit', 'url.original': 'https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot 2020-01-27 at 11.30.48.png', 'tags': ['forwarded'], 'input.type': 'log', '@timestamp': '2020-02-07T16:44:07.000Z', 'service.type': 'o365', 'organization.id': 'b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd', 'user.domain': 'testsiem.onmicrosoft.com', 'user.name': 'asr', 'user.id': '[email protected]'}
  -------------------- >> begin captured stdout << ---------------------
  Using elasticsearch: http://elasticsearch:9200
  Testing o365/audit on /go/src/github.com/elastic/beats/x-pack/filebeat/module/o365/audit/test/06-sharepointfileop.log

--------------------- >> end captured stdout << ----------------------

Name: Build and Test / Filebeat x-pack / test_fileset_file_060_o365 – test_xpack_modules.XPackTest
- Age: 1
- Duration: 3.366
- Error Details: The following expected object doesn't match:
  Diff:
  {'values_changed': {"root['user_agent.device.name']": {'new_value': 'Mac', 'old_value': 'Other'}}}, full object:
  {'log.offset': 0, 'source.geo.continent_name': 'Europe', 'source.geo.region_iso_code': 'ES-B', 'source.geo.city_name': 'Barcelona', 'source.geo.country_iso_code': 'ES', 'source.geo.region_name': 'Barcelona', 'source.geo.location.lon': 2.1611, 'source.geo.location.lat': 41.3891, 'source.as.number': 3352, 'source.as.organization.name': 'Telefonica De Espana', 'source.ip': '213.97.47.133', 'fileset.name': 'audit', 'network.type': 'ipv4', 'tags': ['forwarded'], 'o365.audit.Site': 'd5180cfc-3479-44d6-b410-8c985ac894e3', 'o365.audit.ObjectId': 'https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/_layouts/15/onedrive.aspx', 'o365.audit.ItemType': 'Page', 'o365.audit.UserKey': 'i:0h.f|membership|[email protected]', 'o365.audit.OrganizationId': 'b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd', 'o365.audit.Operation': 'PageViewed', 'o365.audit.ClientIP': '213.97.47.133', 'o365.audit.Workload': 'OneDrive', 'o365.audit.EventSource': 'SharePoint', 'o365.audit.RecordType': 4, 'o365.audit.Version': 1, 'o365.audit.WebId': '8c5c94bb-8396-470c-87d7-8999f440cd30', 'o365.audit.UserId': '[email protected]', 'o365.audit.CreationTime': '2020-02-07T16:43:53', 'o365.audit.UserAgent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0', 'o365.audit.CustomUniqueId': True, 'o365.audit.Id': '99d005e6-a4c6-46fd-117c-08d7abeceab5', 'o365.audit.CorrelationId': '622b339f-4000-a000-f25f-92b3478c7a25', 'o365.audit.ListItemUniqueId': '59a8433d-9bb8-cfef-6edc-4c0fc8b86875', 'o365.audit.UserType': 0, 'input.type': 'log', '@timestamp': '2020-02-07T16:43:53.000Z', 'related.ip': '213.97.47.133', 'related.user': 'asr', 'service.type': 'o365', 'organization.id': 'b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd', 'host.name': 'testsiem.onmicrosoft.com', 'host.id': 'b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd', 'client.address': '213.97.47.133', 'client.ip': '213.97.47.133', 'event.code': 'SharePoint', 'event.provider': 'OneDrive', 'event.kind': 'event', 'event.module': 'o365', 'event.action': 'PageViewed', 'event.id': '99d005e6-a4c6-46fd-117c-08d7abeceab5', 'event.category': 'web', 'event.type': 'info', 'event.dataset': 'o365.audit', 'event.outcome': 'success', 'user.domain': 'testsiem.onmicrosoft.com', 'user.name': 'asr', 'user.id': '[email protected]', 'user_agent.original': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0', 'user_agent.os.name': 'Mac OS X', 'user_agent.os.version': '10.14', 'user_agent.os.full': 'Mac OS X 10.14', 'user_agent.name': 'Firefox', 'user_agent.device.name': 'Mac', 'user_agent.version': '72.0.'}
  -------------------- >> begin captured stdout << ---------------------
  Using elasticsearch: http://elasticsearch:9200
  Testing o365/audit on /go/src/github.com/elastic/beats/x-pack/filebeat/module/o365/audit/test/04-sharepoint.log

--------------------- >> end captured stdout << ----------------------

Name: Build and Test / Filebeat x-pack / test_fileset_file_061_o365 – test_xpack_modules.XPackTest
- Age: 1
- Duration: 3.614
- Error Details: The following expected object doesn't match:
  Diff:
  {'values_changed': {"root['user_agent.device.name']": {'new_value': 'Mac', 'old_value': 'Other'}}}, full object:
  {'log.offset': 3965, 'source.geo.continent_name': 'Europe', 'source.geo.region_iso_code': 'ES-B', 'source.geo.city_name': 'Barcelona', 'source.geo.country_iso_code': 'ES', 'source.geo.region_name': 'Barcelona', 'source.geo.location.lon': 2.1611, 'source.geo.location.lat': 41.3891, 'source.as.number': 3352, 'source.as.organization.name': 'Telefonica De Espana', 'source.ip': '79.159.10.151', 'fileset.name': 'audit', 'tags': ['forwarded'], 'network.type': 'ipv4', 'o365.audit.Site': 'd5180cfc-3479-44d6-b410-8c985ac894e3', 'o365.audit.ObjectId': 'https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com//personal/asr_testsiem_onmicrosoft_com/Sharing Links', 'o365.audit.UserKey': 'i:0h.f|membership|[email protected]', 'o365.audit.ItemType': 'List', 'o365.audit.Operation': 'SharingInheritanceBroken', 'o365.audit.SiteUrl': 'https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com', 'o365.audit.OrganizationId': 'b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd', 'o365.audit.ClientIP': '79.159.10.151', 'o365.audit.EventData': 'FalseFalse', 'o365.audit.Workload': 'OneDrive', 'o365.audit.SourceRelativeUrl': 'Sharing Links', 'o365.audit.EventSource': 'SharePoint', 'o365.audit.ListId': 'b108938d-3546-4359-925d-a1b54b4db8c2', 'o365.audit.RecordType': 14, 'o365.audit.Version': 1, 'o365.audit.UserId': '[email protected]', 'o365.audit.WebId': '8c5c94bb-8396-470c-87d7-8999f440cd30', 'o365.audit.CreationTime': '2020-02-14T18:25:45', 'o365.audit.UserAgent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:73.0) Gecko/20100101 Firefox/73.0', 'o365.audit.CorrelationId': 'fe71359f-005f-9000-7cb1-ccf5124703db', 'o365.audit.Id': 'dd162cd7-5df5-4fef-078a-08d7b17b4e95', 'o365.audit.UserType': 0, 'input.type': 'log', '@timestamp': '2020-02-14T18:25:45.000Z', 'related.ip': '79.159.10.151', 'related.user': 'asr', 'service.type': 'o365', 'organization.id': 'b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd', 'host.name': 'testsiem.onmicrosoft.com', 'host.id': 'b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd', 'client.address': '79.159.10.151', 'client.ip': '79.159.10.151', 'event.code': 'SharePointSharingOperation', 'event.provider': 'OneDrive', 'event.kind': 'event', 'event.module': 'o365', 'event.action': 'SharingInheritanceBroken', 'event.id': 'dd162cd7-5df5-4fef-078a-08d7b17b4e95', 'event.type': 'info', 'event.category': 'web', 'event.dataset': 'o365.audit', 'event.outcome': 'success', 'user.domain': 'testsiem.onmicrosoft.com', 'user.name': 'asr', 'user.id': '[email protected]', 'user_agent.original': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:73.0) Gecko/20100101 Firefox/73.0', 'user_agent.os.name': 'Mac OS X', 'user_agent.os.version': '10.14', 'user_agent.os.full': 'Mac OS X 10.14', 'user_agent.name': 'Firefox', 'user_agent.device.name': 'Mac', 'user_agent.version': '73.0.'}
  -------------------- >> begin captured stdout << ---------------------
  Using elasticsearch: http://elasticsearch:9200
  Testing o365/audit on /go/src/github.com/elastic/beats/x-pack/filebeat/module/o365/audit/test/14-sp-sharing-op.log

--------------------- >> end captured stdout << ----------------------

Name: Build and Test / Filebeat x-pack / test_fileset_file_062_o365 – test_xpack_modules.XPackTest
- Age: 1
- Duration: 8.264
- Error Details: The following expected object doesn't match:
  Diff:
  {'values_changed': {"root['user_agent.device.name']": {'new_value': 'Mac', 'old_value': 'Other'}}}, full object:
  {'log.offset': 0, 'source.geo.continent_name': 'Europe', 'source.geo.region_iso_code': 'ES-B', 'source.geo.city_name': 'Barcelona', 'source.geo.country_iso_code': 'ES', 'source.geo.region_name': 'Barcelona', 'source.geo.location.lon': 2.1611, 'source.geo.location.lat': 41.3891, 'source.as.number': 3352, 'source.as.organization.name': 'Telefonica De Espana', 'source.ip': '83.57.233.151', 'fileset.name': 'audit', 'network.type': 'ipv4', 'tags': ['forwarded'], 'o365.audit.AzureActiveDirectoryEventType': 1, 'o365.audit.UserKey': '[email protected]', 'o365.audit.ActorIpAddress': '83.57.233.151', 'o365.audit.Operation': 'UserLoggedIn', 'o365.audit.OrganizationId': 'b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd', 'o365.audit.ExtendedProperties.ResultStatusDetail': 'Success', 'o365.audit.ExtendedProperties.UserAgent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0', 'o365.audit.ExtendedProperties.KeepMeSignedIn': 'False', 'o365.audit.ExtendedProperties.UserAuthenticationMethod': '9', 'o365.audit.ExtendedProperties.RequestType': 'OAuth2:Authorize', 'o365.audit.IntraSystemId': 'c4206c29-46c2-4a6f-a46b-735107705400', 'o365.audit.Target': [{'Type': 0, 'ID': '00000002-0000-0000-c000-000000000000'}], 'o365.audit.RecordType': 15, 'o365.audit.Version': 1, 'o365.audit.SupportTicketId': '', 'o365.audit.Actor': [{'Type': 0, 'ID': '755e500a-6c03-46b0-b53b-282f23374e3b'}, {'Type': 5, 'ID': '[email protected]'}, {'Type': 3, 'ID': '1003200096971F55'}], 'o365.audit.ActorContextId': 'b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd', 'o365.audit.ObjectId': '00000002-0000-0000-c000-000000000000', 'o365.audit.ResultStatus': 'Succeeded', 'o365.audit.ClientIP': '83.57.233.151', 'o365.audit.Workload': 'AzureActiveDirectory', 'o365.audit.UserId': '[email protected]', 'o365.audit.TargetContextId': 'b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd', 'o365.audit.CreationTime': '2020-02-10T15:13:13', 'o365.audit.Id': 'ca0efc24-1b89-4962-8fef-a3ac5437302f', 'o365.audit.InterSystemsId': '03616b3a-fc75-46a1-b34a-2d82fc8f1e7e', 'o365.audit.ApplicationId': '4345a7b9-9a63-4910-a426-35363201d503', 'o365.audit.UserType': 0, 'input.type': 'log', '@timestamp': '2020-02-10T15:13:13.000Z', 'related.ip': '83.57.233.151', 'related.user': 'asr', 'service.type': 'o365', 'organization.id': 'b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd', 'host.name': 'testsiem.onmicrosoft.com', 'host.id': 'b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd', 'client.address': '83.57.233.151', 'client.ip': '83.57.233.151', 'event.code': 'AzureActiveDirectoryStsLogon', 'event.provider': 'AzureActiveDirectory', 'event.kind': 'event', 'event.module': 'o365', 'event.action': 'UserLoggedIn', 'event.id': 'ca0efc24-1b89-4962-8fef-a3ac5437302f', 'event.type': ['start', 'authentication_success'], 'event.category': 'authentication', 'event.dataset': 'o365.audit', 'event.outcome': 'success', 'user.domain': 'testsiem.onmicrosoft.com', 'user.name': 'asr', 'user.id': '[email protected]', 'user_agent.original': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0', 'user_agent.os.name': 'Mac OS X', 'user_agent.os.version': '10.14', 'user_agent.os.full': 'Mac OS X 10.14', 'user_agent.name': 'Firefox', 'user_agent.device.name': 'Mac', 'user_agent.version': '72.0.'}
  -------------------- >> begin captured stdout << ---------------------
  Using elasticsearch: http://elasticsearch:9200
  Testing o365/audit on /go/src/github.com/elastic/beats/x-pack/filebeat/module/o365/audit/test/15-azuread-sts-logon.log

--------------------- >> end captured stdout << ----------------------

Name: Build and Test / Filebeat x-pack / test_fileset_file_095_cylance – test_xpack_modules.XPackTest
- Age: 1
- Duration: 9.209
- Error Details: The following expected object doesn't match:
  Diff:
  {'values_changed': {"root['rsa.time.event_time']": {'new_value': '2020-07-24T10:58:48.000Z', 'old_value': '2019-07-24T10:58:48.000Z'}, "root['@timestamp']": {'new_value': '2020-07-24T10:58:48.000Z', 'old_value': '2019-07-24T10:58:48.000Z'}}}, full object:
  {'rsa.internal.messageid': 'CylancePROTECT', 'rsa.identity.firstname': 'rinc', 'rsa.identity.lastname': 'tno', 'rsa.investigations.event_cat': 1609000000, 'rsa.investigations.event_cat_name': 'System.Alerts', 'rsa.time.event_time': '2020-07-24T10:58:48.000Z', 'rsa.db.index': 'rExce', 'rsa.misc.device_name': 'ncididu', 'rsa.misc.event_type': 'Alert', 'rsa.misc.mail_id': 'meumf', 'rsa.network.alias_host': ['squ2213.www.test'], 'log.offset': 24048, 'fileset.name': 'protect', 'tags': ['cylance.protect', 'forwarded'], 'observer.product': 'Protect', 'observer.vendor': 'Cylance', 'observer.type': 'Anti-Virus', 'input.type': 'log', '@timestamp': '2020-07-24T10:58:48.000Z', 'service.type': 'cylance', 'host.name': 'squ2213.www.test', 'event.original': '24-Jul-2019 8:58:48 very-high uiacon6640.api.localhost suntexpl <sBonoru 24T08:58:48.everi squ2213.www.test CylancePROTECT Event Name:Alert, Device Message: Device: ncididu; Zones Removed: itati; Zones Added: nostrude, User: rinc tno (meumf), Zone Names:rExce Device Id: quisquam', 'event.code': 'CylancePROTECT', 'event.module': 'cylance', 'event.action': 'Alert', 'event.dataset': 'cylance.protect'}
  -------------------- >> begin captured stdout << ---------------------
  Using elasticsearch: http://elasticsearch:9200
  Testing cylance/protect on /go/src/github.com/elastic/beats/x-pack/filebeat/module/cylance/protect/test/generated.log

--------------------- >> end captured stdout << ----------------------

Name: Build and Test / Filebeat x-pack / test_fileset_file_106_okta – test_xpack_modules.XPackTest
- Age: 1
- Duration: 3.416
- Error Details: The following expected object doesn't match:
  Diff:
  {'values_changed': {"root['user_agent.device.name']": {'new_value': 'Mac', 'old_value': 'Other'}}}, full object:
  {'log.offset': 0, 'source.geo.continent_name': 'North America', 'source.geo.region_iso_code': 'US-CA', 'source.geo.city_name': 'Dublin', 'source.geo.country_iso_code': 'US', 'source.geo.region_name': 'California', 'source.geo.location.lon': -121.919, 'source.geo.location.lat': 37.7201, 'source.as.number': 7018, 'source.as.organization.name': 'AT&T Services, Inc.', 'source.ip': '108.255.197.247', 'source.user.full_name': 'xxxxxx', 'source.user.id': '00u1abvz4pYqdM8ms4x6', 'fileset.name': 'system', 'tags': ['forwarded'], 'input.type': 'log', '@timestamp': '2020-02-14T22:18:51.843Z', 'related.ip': '108.255.197.247', 'related.user': 'xxxxxx', 'service.type': 'okta', 'client.geo.city_name': 'Dublin', 'client.geo.country_name': 'United States', 'client.geo.location.lon': -121.919, 'client.geo.location.lat': 37.7201, 'client.geo.region_name': 'California', 'client.ip': '108.255.197.247', 'client.user.full_name': 'xxxxxx', 'client.user.id': '00u1abvz4pYqdM8ms4x6', 'event.original': '{"actor":{"alternateId":"[email protected]","detailEntry":null,"displayName":"xxxxxx","id":"00u1abvz4pYqdM8ms4x6","type":"User"},"authenticationContext":{"authenticationProvider":null,"authenticationStep":0,"credentialProvider":null,"credentialType":null,"externalSessionId":"102nZHzd6OHSfGG51vsoc22gw","interface":null,"issuer":null},"client":{"device":"Computer","geographicalContext":{"city":"Dublin","country":"United States","geolocation":{"lat":37.7201,"lon":-121.919},"postalCode":"94568","state":"California"},"id":null,"ipAddress":"108.255.197.247","userAgent":{"browser":"FIREFOX","os":"Mac OS X","rawUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0"},"zone":"null"},"debugContext":{"debugData":{"authnRequestId":"XkcAsWb8WjwDP76xh@1v8wAABp0","requestId":"XkccyyMli2Uay2I93ZgRzQAAB0c","requestUri":"/login/signout","threatSuspected":"false","url":"/login/signout?message=login_page_messages.session_has_expired"}},"displayMessage":"User logout from Okta","eventType":"user.session.end","legacyEventType":"core.user_auth.logout_success","outcome":{"reason":null,"result":"SUCCESS"},"published":"2020-02-14T22:18:51.843Z","request":{"ipChain":[{"geographicalContext":{"city":"Dublin","country":"United States","geolocation":{"lat":37.7201,"lon":-121.919},"postalCode":"94568","state":"California"},"ip":"108.255.197.247","source":null,"version":"V4"}]},"securityContext":{"asNumber":null,"asOrg":null,"domain":null,"isProxy":null,"isp":null},"severity":"INFO","target":null,"transaction":{"detail":{},"id":"XkccyyMli2Uay2I93ZgRzQAAB0c","type":"WEB"},"uuid":"faf7398a-4f77-11ea-97fb-5925e98228bd","version":"0"}', 'event.kind': 'event', 'event.module': 'okta', 'event.action': 'user.session.end', 'event.id': 'faf7398a-4f77-11ea-97fb-5925e98228bd', 'event.type': ['access'], 'event.category': ['authentication'], 'event.dataset': 'okta.system', 'event.outcome': 'success', 'okta.actor.id': '00u1abvz4pYqdM8ms4x6', 'okta.actor.type': 'User', 'okta.actor.display_name': 'xxxxxx', 'okta.actor.alternate_id': '[email protected]', 'okta.debug_context.debug_data.threat_suspected': 'false', 'okta.debug_context.debug_data.request_id': 'XkccyyMli2Uay2I93ZgRzQAAB0c', 'okta.debug_context.debug_data.request_uri': '/login/signout', 'okta.debug_context.debug_data.url': '/login/signout?message=login_page_messages.session_has_expired', 'okta.event_type': 'user.session.end', 'okta.authentication_context.authentication_step': 0, 'okta.authentication_context.external_session_id': '102nZHzd6OHSfGG51vsoc22gw', 'okta.client.zone': 'null', 'okta.client.ip': '108.255.197.247', 'okta.client.device': 'Computer', 'okta.client.user_agent.raw_user_agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0', 'okta.client.user_agent.os': 'Mac OS X', 'okta.client.user_agent.browser': 'FIREFOX', 'okta.display_message': 'User logout from Okta', 'okta.uuid': 'faf7398a-4f77-11ea-97fb-5925e98228bd', 'okta.outcome.result': 'SUCCESS', 'okta.transaction.id': 'XkccyyMli2Uay2I93ZgRzQAAB0c', 'okta.transaction.type': 'WEB', 'user_agent.original': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0', 'user_agent.os.name': 'Mac OS X', 'user_agent.os.version': '10.15', 'user_agent.os.full': 'Mac OS X 10.15', 'user_agent.name': 'Firefox', 'user_agent.device.name': 'Mac', 'user_agent.version': '72.0.'}
  -------------------- >> begin captured stdout << ---------------------
  Using elasticsearch: http://elasticsearch:9200
  Testing okta/system on /go/src/github.com/elastic/beats/x-pack/filebeat/module/okta/system/test/okta-system-test.json.log

--------------------- >> end captured stdout << ----------------------

Name: Build and Test / Filebeat x-pack / test_fileset_file_167_zscaler – test_xpack_modules.XPackTest
- Age: 1
- Duration: 9.117
- Error Details: The following expected object doesn't match:
  Diff:
  {'values_changed': {"root['user_agent.device.name']": {'new_value': 'U307AS', 'old_value': 'Generic Smartphone'}}}, full object:
  {'rsa.internal.data': 'amco', 'rsa.internal.messageid': 'ZSCALERNSS_1', 'rsa.web.fqdn': 'orsitame3262.domain', 'rsa.identity.user_dept': 'onev', 'rsa.investigations.ec_subject': 'User', 'rsa.investigations.ec_activity': 'Deny', 'rsa.investigations.ec_theme': 'Communication', 'rsa.investigations.event_vcat': 'uptassi', 'rsa.time.timezone': 'CT', 'rsa.time.event_time': '2016-02-26T10:15:08.000Z', 'rsa.threat.threat_category': 'tur', 'rsa.db.index': 'nsequat', 'rsa.misc.result': 'success', 'rsa.misc.filter': 'tconsec', 'rsa.misc.reference_id': 'laboreet', 'rsa.misc.action': ['giatq', 'Blocked'], 'rsa.misc.result_code': 'tia', 'rsa.misc.category': 'llu', 'rsa.network.alias_host': ['orsitame3262.domain'], 'log.offset': 1742, 'destination.bytes': 1837, 'destination.ip': ['10.204.86.149'], 'source.bytes': 2935, 'source.ip': ['10.254.146.57'], 'network.protocol': 'igmp', 'network.bytes': 6905, 'observer.product': 'Internet', 'observer.vendor': 'Zscaler', 'observer.type': 'Configuration', 'file.type': 'oluptas', 'related.ip': ['10.254.146.57', '10.204.86.149'], 'related.user': ['tenima'], 'host.name': 'orsitame3262.domain', 'event.original': 'amco ZSCALERNSS: time=exe Feb 26 8:15:08 2016^^timezone=CT^^action=Blocked^^reason=success^^hostname=orsitame3262.domain^^protocol=igmp^^serverip=10.204.86.149^^url=https://example.com/taspe/mvolu.gif?atcup=snos#iquaUte^^urlcategory=tconsec^^urlclass=nsequat^^dlpdictionaries=taev^^dlpengine=roidents^^filetype=oluptas^^threatcategory=llu^^threatclass=uptassi^^pagerisk=tamremap^^threatname=tur^^clientpublicIP=aperi^^ClientIP=10.254.146.57^^location=estqui^^refererURL=https://www5.example.net/emaper/ssitasp.html?enimad=rmagni#sit^^useragent=Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36^^department=onev^^user=tenima^^event_id=laboreet^^clienttranstime=aquaeabi^^requestmethod=giatq^^requestsize=2935^^requestversion=veleumi^^status=tia^^responsesize=1837^^responseversion=ude^^transactionsize=6905', 'event.code': 'laboreet', 'event.timezone': 'CT', 'event.module': 'zscaler', 'event.action': 'Blocked', 'event.dataset': 'zscaler.zia', 'user_agent.original': 'Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36', 'user_agent.os.name': 'Android', 'user_agent.os.version': '9', 'user_agent.os.full': 'Android 9', 'user_agent.name': 'Chrome Mobile', 'user_agent.device.name': 'U307AS', 'user_agent.version': '83.0.4103.83', 'fileset.name': 'zia', 'url.original': 'https://example.com/taspe/mvolu.gif?atcup=snos#iquaUte', 'tags': ['zscaler.zia', 'forwarded'], 'input.type': 'log', '@timestamp': '2016-02-26T10:15:08.000Z', 'service.type': 'zscaler', 'http.request.referrer': 'https://www5.example.net/emaper/ssitasp.html?enimad=rmagni#sit', 'user.name': 'tenima'}
  -------------------- >> begin captured stdout << ---------------------
  Using elasticsearch: http://elasticsearch:9200
  Testing zscaler/zia on /go/src/github.com/elastic/beats/x-pack/filebeat/module/zscaler/zia/test/generated.log

--------------------- >> end captured stdout << ----------------------

Name: Build and Test / Filebeat x-pack / test_fileset_file_180_suricata – test_xpack_modules.XPackTest
- Age: 1
- Duration: 3.56
- Error Details: The following expected object doesn't match:
  Diff:
  {'values_changed': {"root['user_agent.device.name']": {'new_value': 'Mac', 'old_value': 'Other'}}}, full object:
  {'log.offset': 985, 'destination.address': '192.168.86.28', 'destination.port': 63963, 'destination.ip': '192.168.86.28', 'destination.domain': '192.168.86.28', 'source.address': '192.168.86.85', 'source.port': 56119, 'source.ip': '192.168.86.85', 'fileset.name': 'eve', 'url.path': '/dd.xml', 'url.original': '/dd.xml', 'url.domain': '192.168.86.28', 'tags': ['suricata'], 'network.community_id': '1:gjMiDGtS5SVvdwzjjQdAKGBrDA4=', 'network.protocol': 'http', 'network.transport': 'tcp', 'input.type': 'log', '@timestamp': '2018-07-05T19:43:47.690Z', 'related.ip': ['192.168.86.85', '192.168.86.28'], 'service.type': 'suricata', 'http.request.method': 'GET', 'http.response.status_code': 200, 'http.response.body.bytes': 1155, 'suricata.eve.in_iface': 'en0', 'suricata.eve.event_type': 'http', 'suricata.eve.flow_id': 2115002772430095, 'suricata.eve.http.protocol': 'HTTP/1.1', 'suricata.eve.http.http_content_type': 'text/xml', 'suricata.eve.tx_id': 0, 'event.original': '{"timestamp":"2018-07-05T15:43:47.690014-0400","flow_id":2115002772430095,"in_iface":"en0","event_type":"http","src_ip":"192.168.86.85","src_port":56119,"dest_ip":"192.168.86.28","dest_port":63963,"proto":"TCP","tx_id":0,"http":{"hostname":"192.168.86.28","url":"\/dd.xml","http_user_agent":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/67.0.3396.99 Safari\/537.36","http_content_type":"text\/xml","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1155}}', 'event.kind': 'event', 'event.module': 'suricata', 'event.category': ['network', 'web'], 'event.type': ['access', 'protocol'], 'event.dataset': 'suricata.eve', 'event.outcome': 'success', 'user_agent.original': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36', 'user_agent.os.name': 'Mac OS X', 'user_agent.os.version': '10.13.5', 'user_agent.os.full': 'Mac OS X 10.13.5', 'user_agent.name': 'Chrome', 'user_agent.device.name': 'Mac', 'user_agent.version': '67.0.3396.99'}
  -------------------- >> begin captured stdout << ---------------------
  Using elasticsearch: http://elasticsearch:9200
  Testing suricata/eve on /go/src/github.com/elastic/beats/x-pack/filebeat/module/suricata/eve/test/eve-small.log

--------------------- >> end captured stdout << ----------------------

Name: Build and Test / Filebeat x-pack / test_fileset_file_189_googlecloud – test_xpack_modules.XPackTest
- Age: 1
- Duration: 3.836
- Error Details: The following expected object doesn't match:
  Diff:
  {'values_changed': {"root['user_agent.device.name']": {'new_value': 'Mac', 'old_value': 'Other'}}}, full object:
  {'log.offset': 945, 'log.logger': 'projects/elastic-beats/logs/cloudaudit.googleapis.com%2Fdata_access', 'source.ip': '192.168.1.1', 'fileset.name': 'audit', 'tags': ['forwarded'], 'cloud.project.id': 'elastic-beats', 'input.type': 'log', '@timestamp': '2019-12-19T00:45:51.228Z', 'service.name': 'compute.googleapis.com', 'service.type': 'googlecloud', 'event.kind': 'event', 'event.module': 'googlecloud', 'event.action': 'beta.compute.machineTypes.aggregatedList', 'event.id': '-h6onuze1h7dg', 'event.dataset': 'googlecloud.audit', 'event.outcome': 'failure', 'googlecloud.audit.request.proto_name': 'type.googleapis.com/compute.machineTypes.aggregatedList', 'googlecloud.audit.authentication_info.principal_email': '[email protected]', 'googlecloud.audit.method_name': 'beta.compute.machineTypes.aggregatedList', 'googlecloud.audit.request_metadata.caller_ip': '192.168.1.1', 'googlecloud.audit.request_metadata.caller_supplied_user_agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:71.0) Gecko/20100101 Firefox/71.0,gzip(gfe),gzip(gfe)', 'googlecloud.audit.service_name': 'compute.googleapis.com', 'googlecloud.audit.num_response_items': 71, 'googlecloud.audit.authorization_info': [{'permission': 'compute.machineTypes.list', 'resource_attributes': {'service': 'resourcemanager', 'name': 'projects/elastic-beats', 'type': 'resourcemanager.projects'}, 'granted': False}], 'googlecloud.audit.resource_name': 'projects/elastic-beats/global/machineTypes', 'googlecloud.audit.type': 'type.googleapis.com/google.cloud.audit.AuditLog', 'googlecloud.audit.resource_location.current_locations': ['global'], 'user.email': '[email protected]', 'user_agent.original': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:71.0) Gecko/20100101 Firefox/71.0,gzip(gfe),gzip(gfe)', 'user_agent.os.name': 'Mac OS X', 'user_agent.os.version': '10.15', 'user_agent.os.full': 'Mac OS X 10.15', 'user_agent.name': 'Firefox', 'user_agent.device.name': 'Mac', 'user_agent.version': '71.0.'}
  -------------------- >> begin captured stdout << ---------------------
  Using elasticsearch: http://elasticsearch:9200
  Testing googlecloud/audit on /go/src/github.com/elastic/beats/x-pack/filebeat/module/googlecloud/audit/test/audit-log-entries.json.log

--------------------- >> end captured stdout << ----------------------

Name: Build and Test / Filebeat x-pack / test_fileset_file_208_tomcat – test_xpack_modules.XPackTest
- Age: 1
- Duration: 8.978
- Error Details: The following expected object doesn't match:
  Diff:
  {'values_changed': {"root['user_agent.device.name']": {'new_value': 'G8142', 'old_value': 'Generic Smartphone'}}}, full object:
  {'rsa.internal.level': 1516, 'rsa.internal.messageid': 'asdf', 'rsa.web.web_ref_domain': 'mail.example.net', 'rsa.web.alias_host': 'https://example.com/illumqui/ventore.html?min=ite#utl', 'rsa.web.fqdn': 'https://example.com/illumqui/ventore.html?min=ite#utl', 'rsa.web.web_cookie': 'aliqu', 'rsa.time.timezone': 'OMST', 'rsa.time.event_time': '2016-01-29T08:09:59.000Z', 'rsa.misc.action': ['exercita'], 'rsa.misc.result_code': 'ntsunti', 'rsa.network.network_service': 'oremi', 'log.offset': 0, 'source.bytes': 5293, 'source.ip': ['10.251.224.219'], 'fileset.name': 'log', 'url.domain': 'example.com', 'url.query': 'amremap', 'tags': ['tomcat.log', 'forwarded'], 'observer.product': 'TomCat', 'observer.vendor': 'Apache', 'observer.type': 'Web', 'input.type': 'log', '@timestamp': '2016-01-29T08:09:59.000Z', 'file.name': 'vol', 'related.ip': ['10.251.224.219'], 'related.user': ['rci'], 'service.type': 'tomcat', 'http.request.referrer': 'https://mail.example.net/turadipi/aeca.htm?ntium=psaq#cer', 'event.original': '%APACHETOMCAT-1516-asdf: 10.251.224.219||eacommod||rci||[29/Jan/2016:6:09:59 OMST]||exercita||https://example.com/illumqui/ventore.html?min=ite#utl||vol||amremap||oremi||ntsunti||5293||https://mail.example.net/turadipi/aeca.htm?ntium=psaq#cer||Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36||aliqu', 'event.code': 'asdf', 'event.timezone': 'OMST', 'event.module': 'tomcat', 'event.dataset': 'tomcat.log', 'user.name': 'rci', 'user_agent.original': 'Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36', 'user_agent.os.name': 'Android', 'user_agent.os.version': '9', 'user_agent.os.full': 'Android 9', 'user_agent.name': 'Chrome Mobile', 'user_agent.device.name': 'G8142', 'user_agent.version': '83.0.4103.83'}
  -------------------- >> begin captured stdout << ---------------------
  Using elasticsearch: http://elasticsearch:9200
  Testing tomcat/log on /go/src/github.com/elastic/beats/x-pack/filebeat/module/tomcat/log/test/generated.log

--------------------- >> end captured stdout << ----------------------

Name: Build and Test / Filebeat oss / test_fileset_file_019_apache – test_modules.Test
- Age: 1
- Duration: 2.444
- Error Details: The following expected object doesn't match:
  Diff:
  {'values_changed': {"root['user_agent.device.name']": {'new_value': 'Mac', 'old_value': 'Other'}}}, full object:
  {'log.offset': 73, 'source.address': '192.168.33.1', 'source.ip': '192.168.33.1', 'fileset.name': 'access', 'url.original': '/hello', 'input.type': 'log', '@timestamp': '2016-12-26T16:22:13.000Z', 'service.type': 'apache', 'http.request.referrer': '-', 'http.request.method': 'GET', 'http.response.status_code': 404, 'http.response.body.bytes': 499, 'http.version': '1.1', 'event.kind': 'event', 'event.module': 'apache', 'event.category': 'web', 'event.dataset': 'apache.access', 'event.outcome': 'failure', 'user.name': '-', 'user_agent.original': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:50.0) Gecko/20100101 Firefox/50.0', 'user_agent.os.name': 'Mac OS X', 'user_agent.os.version': '10.12', 'user_agent.os.full': 'Mac OS X 10.12', 'user_agent.name': 'Firefox', 'user_agent.device.name': 'Mac', 'user_agent.version': '50.0.'}
  -------------------- >> begin captured stdout << ---------------------
  Using elasticsearch: http://elasticsearch:9200
  Testing apache/access on /go/src/github.com/elastic/beats/filebeat/tests/system/../../module/apache/access/test/test.log

--------------------- >> end captured stdout << ----------------------

Name: Build and Test / Filebeat oss / test_fileset_file_020_apache – test_modules.Test
- Age: 1
- Duration: 1.818
- Error Details: The following expected object doesn't match:
  Diff:
  {'values_changed': {"root['user_agent.device.name']": {'new_value': 'Mac', 'old_value': 'Other'}}}, full object:
  {'log.offset': 98, 'source.address': '192.168.33.1', 'source.ip': '192.168.33.1', 'fileset.name': 'access', 'url.original': '/', 'input.type': 'log', '@timestamp': '2016-12-26T16:22:00.000Z', 'service.type': 'apache', 'http.request.referrer': '-', 'http.request.method': 'GET', 'http.response.status_code': 200, 'http.response.body.bytes': 484, 'http.version': '1.1', 'event.kind': 'event', 'event.module': 'apache', 'event.category': 'web', 'event.dataset': 'apache.access', 'event.outcome': 'success', 'user.name': '-', 'user_agent.original': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36', 'user_agent.os.name': 'Mac OS X', 'user_agent.os.version': '10.12.0', 'user_agent.os.full': 'Mac OS X 10.12.0', 'user_agent.name': 'Chrome', 'user_agent.device.name': 'Mac', 'user_agent.version': '54.0.2840.98'}
  -------------------- >> begin captured stdout << ---------------------
  Using elasticsearch: http://elasticsearch:9200
  Testing apache/access on /go/src/github.com/elastic/beats/filebeat/tests/system/../../module/apache/access/test/ubuntu-2.2.22.log

--------------------- >> end captured stdout << ----------------------

Name: Build and Test / Filebeat oss / test_fileset_file_021_apache – test_modules.Test
- Age: 1
- Duration: 1.858
- Error Details: The following expected object doesn't match:
  Diff:
  {'values_changed': {"root['user_agent.device.name']": {'new_value': 'Mac', 'old_value': 'Other'}}}, full object:
  {'log.offset': 0, 'destination.domain': 'vhost1.domaine.fr', 'source.ip': '192.168.33.2', 'fileset.name': 'access', 'url.original': '/hello', 'input.type': 'log', '@timestamp': '2016-12-26T16:22:14.000Z', 'service.type': 'apache', 'http.request.referrer': '-', 'http.request.method': 'GET', 'http.response.status_code': 404, 'http.response.body.bytes': 499, 'http.version': '1.1', 'event.kind': 'event', 'event.module': 'apache', 'event.category': 'web', 'event.dataset': 'apache.access', 'event.outcome': 'failure', 'user.name': '-', 'user_agent.original': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:50.0) Gecko/20100101 Firefox/50.0', 'user_agent.os.name': 'Mac OS X', 'user_agent.os.version': '10.12', 'user_agent.os.full': 'Mac OS X 10.12', 'user_agent.name': 'Firefox', 'user_agent.device.name': 'Mac', 'user_agent.version': '50.0.'}
  -------------------- >> begin captured stdout << ---------------------
  Using elasticsearch: http://elasticsearch:9200
  Testing apache/access on /go/src/github.com/elastic/beats/filebeat/tests/system/../../module/apache/access/test/test-vhost.log

--------------------- >> end captured stdout << ----------------------

Name: Build and Test / Filebeat oss / test_fileset_file_028_iis – test_modules.Test
- Age: 1
- Duration: 1.874
- Error Details: The following expected object doesn't match:
  Diff:
  {'values_changed': {"root['user_agent.device.name']": {'new_value': 'Mac', 'old_value': 'Other'}}}, full object:
  {'log.offset': 1204, 'destination.address': '127.0.0.1', 'destination.port': 80, 'destination.domain': 'example.com', 'destination.ip': '127.0.0.1', 'source.geo.continent_name': 'Europe', 'source.geo.region_iso_code': 'DE-BE', 'source.geo.city_name': 'Berlin', 'source.geo.country_iso_code': 'DE', 'source.geo.region_name': 'Land Berlin', 'source.geo.location.lon': 13.4531, 'source.geo.location.lat': 52.4473, 'source.as.number': 6805, 'source.as.organization.name': 'Telefonica Germany', 'source.address': '85.181.35.98', 'source.ip': '85.181.35.98', 'fileset.name': 'access', 'url.path': '/', 'input.type': 'log', 'iis.access.site_name': 'W3SVC1', 'iis.access.server_name': 'MACHINE-NAME', 'iis.access.sub_status': 0, 'iis.access.win32_status': 0, '@timestamp': '2018-01-01T10:11:12.000Z', 'related.ip': ['85.181.35.98', '127.0.0.1'], 'service.type': 'iis', 'http.request.method': 'GET', 'http.request.body.bytes': 456, 'http.response.status_code': 200, 'http.response.body.bytes': 123, 'http.version': '1.1', 'event.duration': 789000000, 'event.kind': 'event', 'event.module': 'iis', 'event.category': ['web', 'network'], 'event.type': ['connection'], 'event.dataset': 'iis.access', 'event.outcome': 'success', 'user_agent.original': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36', 'user_agent.os.name': 'Mac OS X', 'user_agent.os.version': '10.14.0', 'user_agent.os.full': 'Mac OS X 10.14.0', 'user_agent.name': 'Chrome', 'user_agent.device.name': 'Mac', 'user_agent.version': '70.0.3538.102'}
  -------------------- >> begin captured stdout << ---------------------
  Using elasticsearch: http://elasticsearch:9200
  Testing iis/access on /go/src/github.com/elastic/beats/filebeat/tests/system/../../module/iis/access/test/test.log

--------------------- >> end captured stdout << ----------------------

Name: Build and Test / Filebeat oss / test_fileset_file_031_iis – test_modules.Test
- Age: 1
- Duration: 2.025
- Error Details: The following expected object doesn't match:
  Diff:
  {'values_changed': {"root['user_agent.device.name']": {'new_value': 'Mac', 'old_value': 'Other'}}}, full object:
  {'log.offset': 331, 'destination.address': '::1%0', 'destination.port': 80, 'destination.domain': 'example.com', 'destination.ip': '::1', 'source.address': '::1%0', 'source.ip': '::1', 'fileset.name': 'access', 'url.path': '/', 'input.type': 'log', 'iis.access.site_name': 'W3SVC1', 'iis.access.server_name': 'MACHINE-NAME', 'iis.access.sub_status': 0, 'iis.access.win32_status': 0, '@timestamp': '2018-01-01T10:11:12.000Z', 'related.ip': ['::1', '::1'], 'service.type': 'iis', 'http.request.method': 'GET', 'http.request.body.bytes': 456, 'http.response.status_code': 200, 'http.response.body.bytes': 123, 'http.version': '1.1', 'event.duration': 789000000, 'event.kind': 'event', 'event.module': 'iis', 'event.category': ['web', 'network'], 'event.type': ['connection'], 'event.dataset': 'iis.access', 'event.outcome': 'success', 'user_agent.original': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36', 'user_agent.os.name': 'Mac OS X', 'user_agent.os.version': '10.14.0', 'user_agent.os.full': 'Mac OS X 10.14.0', 'user_agent.name': 'Chrome', 'user_agent.device.name': 'Mac', 'user_agent.version': '70.0.3538.102'}
  -------------------- >> begin captured stdout << ---------------------
  Using elasticsearch: http://elasticsearch:9200
  Testing iis/access on /go/src/github.com/elastic/beats/filebeat/tests/system/../../module/iis/access/test/test-ipv6zone.log

--------------------- >> end captured stdout << ----------------------

Name: Build and Test / Filebeat oss / test_fileset_file_097_nginx – test_modules.Test
- Age: 1
- Duration: 2.542
- Error Details: The following expected object doesn't match:
  Diff:
  {'values_changed': {"root['user_agent.device.name']": {'new_value': 'Mac', 'old_value': 'Other'}}}, full object:
  {'nginx.ingress_controller.upstream.alternative_name': '', 'nginx.ingress_controller.upstream.port': '8080', 'nginx.ingress_controller.upstream.response.status_code': 200, 'nginx.ingress_controller.upstream.response.length': 59, 'nginx.ingress_controller.upstream.response.time': 0.0, 'nginx.ingress_controller.upstream.ip': '172.17.0.5', 'nginx.ingress_controller.upstream.name': 'default-web-8080', 'nginx.ingress_controller.http.request.length': 450, 'nginx.ingress_controller.http.request.id': 'da29abf31e4d6324cebe5e7bca370709', 'nginx.ingress_controller.http.request.time': 0.001, 'nginx.ingress_controller.remote_ip_list': ['192.168.64.1'], 'log.offset': 1273, 'source.address': '192.168.64.1', 'source.ip': '192.168.64.1', 'fileset.name': 'ingress_controller', 'url.original': '/products/42', 'input.type': 'log', '@timestamp': '2020-02-07T11:55:57.000Z', 'related.ip': ['192.168.64.1'], 'service.type': 'nginx', 'http.request.method': 'GET', 'http.response.status_code': 200, 'http.response.body.bytes': 59, 'http.version': '1.1', 'event.timezone': '-02:00', 'event.kind': 'event', 'event.module': 'nginx', 'event.category': ['web'], 'event.type': ['info'], 'event.dataset': 'nginx.ingress_controller', 'event.outcome': 'success', 'user_agent.original': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36', 'user_agent.os.name': 'Mac OS X', 'user_agent.os.version': '10.14.6', 'user_agent.os.full': 'Mac OS X 10.14.6', 'user_agent.name': 'Chrome', 'user_agent.device.name': 'Mac', 'user_agent.version': '79.0.3945.130'}
  -------------------- >> begin captured stdout << ---------------------
  Using elasticsearch: http://elasticsearch:9200
  Testing nginx/ingress_controller on /go/src/github.com/elastic/beats/filebeat/tests/system/../../module/nginx/ingress_controller/test/test.log

--------------------- >> end captured stdout << ----------------------

Name: Build and Test / Filebeat oss / test_fileset_file_098_nginx – test_modules.Test
- Age: 1
- Duration: 2.357
- Error Details: The following expected object doesn't match:
  Diff:
  {'values_changed': {"root['user_agent.device.name']": {'new_value': 'Mac', 'old_value': 'Other'}}}, full object:
  {'nginx.access.remote_ip_list': ['10.0.0.2', '10.0.0.1', '127.0.0.1'], 'log.offset': 0, 'source.address': '10.0.0.2', 'source.ip': '10.0.0.2', 'fileset.name': 'access', 'url.original': '/ocelot', 'input.type': 'log', '@timestamp': '2016-12-07T10:05:07.000Z', 'related.ip': ['10.0.0.2'], 'service.type': 'nginx', 'http.request.method': 'GET', 'http.response.status_code': 200, 'http.response.body.bytes': 571, 'http.version': '1.1', 'event.timezone': '-02:00', 'event.kind': 'event', 'event.module': 'nginx', 'event.category': ['web'], 'event.type': ['access'], 'event.dataset': 'nginx.access', 'event.outcome': 'success', 'user_agent.original': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:49.0) Gecko/20100101 Firefox/49.0', 'user_agent.os.name': 'Mac OS X', 'user_agent.os.version': '10.12', 'user_agent.os.full': 'Mac OS X 10.12', 'user_agent.name': 'Firefox', 'user_agent.device.name': 'Mac', 'user_agent.version': '49.0.'}
  -------------------- >> begin captured stdout << ---------------------
  Using elasticsearch: http://elasticsearch:9200
  Testing nginx/access on /go/src/github.com/elastic/beats/filebeat/tests/system/../../module/nginx/access/test/test.log

--------------------- >> end captured stdout << ----------------------

Name: Build and Test / Filebeat oss / test_fileset_file_099_nginx – test_modules.Test
- Age: 1
- Duration: 1.932
- Error Details: The following expected object doesn't match:
  Diff:
  {'values_changed': {"root['user_agent.device.name']": {'new_value': 'Mac', 'old_value': 'Other'}}}, full object:
  {'nginx.access.remote_ip_list': ['77.179.66.156'], 'log.offset': 0, 'source.geo.continent_name': 'Europe', 'source.geo.region_iso_code': 'DE-RP', 'source.geo.city_name': 'Germersheim', 'source.geo.country_iso_code': 'DE', 'source.geo.region_name': 'Rheinland-Pfalz', 'source.geo.location.lon': 8.3639, 'source.geo.location.lat': 49.2231, 'source.as.number': 6805, 'source.as.organization.name': 'Telefonica Germany', 'source.address': '77.179.66.156', 'source.ip': '77.179.66.156', 'fileset.name': 'access', 'url.original': '/', 'input.type': 'log', '@timestamp': '2016-10-25T12:49:33.000Z', 'related.ip': ['77.179.66.156'], 'service.type': 'nginx', 'http.request.method': 'GET', 'http.response.status_code': 200, 'http.response.body.bytes': 612, 'http.version': '1.1', 'event.timezone': '-02:00', 'event.kind': 'event', 'event.module': 'nginx', 'event.category': ['web'], 'event.type': ['access'], 'event.dataset': 'nginx.access', 'event.outcome': 'success', 'user_agent.original': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.59 Safari/537.36', 'user_agent.os.name': 'Mac OS X', 'user_agent.os.version': '10.12.0', 'user_agent.os.full': 'Mac OS X 10.12.0', 'user_agent.name': 'Chrome', 'user_agent.device.name': 'Mac', 'user_agent.version': '54.0.2840.59'}
  -------------------- >> begin captured stdout << ---------------------
  Using elasticsearch: http://elasticsearch:9200
  Testing nginx/access on /go/src/github.com/elastic/beats/filebeat/tests/system/../../module/nginx/access/test/access.log

--------------------- >> end captured stdout << ----------------------

Name: Build and Test / Filebeat oss / test_fileset_file_100_nginx – test_modules.Test
- Age: 1
- Duration: 1.921
- Error Details: The following expected object doesn't match:
  Diff:
  {'values_changed': {"root['user_agent.device.name']": {'new_value': 'Mac', 'old_value': 'Other'}}}, full object:
  {'nginx.access.remote_ip_list': ['10.0.0.2', '10.0.0.1', '127.0.0.1'], 'log.offset': 0, 'destination.domain': 'example.com', 'source.address': '10.0.0.2', 'source.ip': '10.0.0.2', 'fileset.name': 'access', 'url.original': '/ocelot', 'input.type': 'log', '@timestamp': '2016-12-07T10:05:07.000Z', 'related.ip': ['10.0.0.2'], 'service.type': 'nginx', 'http.request.method': 'GET', 'http.response.status_code': 200, 'http.response.body.bytes': 571, 'http.version': '1.1', 'event.timezone': '-02:00', 'event.kind': 'event', 'event.module': 'nginx', 'event.category': ['web'], 'event.type': ['access'], 'event.dataset': 'nginx.access', 'event.outcome': 'success', 'user_agent.original': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:49.0) Gecko/20100101 Firefox/49.0', 'user_agent.os.name': 'Mac OS X', 'user_agent.os.version': '10.12', 'user_agent.os.full': 'Mac OS X 10.12', 'user_agent.name': 'Firefox', 'user_agent.device.name': 'Mac', 'user_agent.version': '49.0.'}
  -------------------- >> begin captured stdout << ---------------------
  Using elasticsearch: http://elasticsearch:9200
  Testing nginx/access on /go/src/github.com/elastic/beats/filebeat/tests/system/../../module/nginx/access/test/test-with-host.log

--------------------- >> end captured stdout << ----------------------

Steps errors

Expand to view the steps failures

Name: Make testsuite
- Description: make -C filebeat testsuite
- Duration: 32 min 35 sec
- Start Time: 2020-07-23T03:30:21.566+0000
- log
Name: Mage update build test
- Description: mage update build test
- Duration: 31 min 49 sec
- Start Time: 2020-07-23T03:30:37.654+0000
- log

Log output

Expand to view the last 100 lines of log output

[2020-07-23T04:02:25.906Z] + FILE=libbeat/build/coverage/full.cov
[2020-07-23T04:02:25.906Z] + '[' -f libbeat/build/coverage/full.cov ']'
[2020-07-23T04:02:25.906Z] + for i in '"$@"'
[2020-07-23T04:02:25.906Z] + FILE=metricbeat/build/coverage/full.cov
[2020-07-23T04:02:25.906Z] + '[' -f metricbeat/build/coverage/full.cov ']'
[2020-07-23T04:02:25.906Z] + for i in '"$@"'
[2020-07-23T04:02:25.906Z] + FILE=packetbeat/build/coverage/full.cov
[2020-07-23T04:02:25.906Z] + '[' -f packetbeat/build/coverage/full.cov ']'
[2020-07-23T04:02:25.906Z] + for i in '"$@"'
[2020-07-23T04:02:25.906Z] + FILE=winlogbeat/build/coverage/full.cov
[2020-07-23T04:02:25.906Z] + '[' -f winlogbeat/build/coverage/full.cov ']'
[2020-07-23T04:02:27.233Z] Failed in branch Filebeat x-pack
[2020-07-23T04:02:28.577Z] + .ci/scripts/report-codecov.sh auditbeat filebeat heartbeat journalbeat libbeat metricbeat packetbeat winlogbeat
[2020-07-23T04:02:28.577Z] + CODECOV_URL=https://codecov.io/bash
[2020-07-23T04:02:28.577Z] + '[' -e /usr/local/bin/bash_standard_lib.sh ']'
[2020-07-23T04:02:28.577Z] + source /usr/local/bin/bash_standard_lib.sh
[2020-07-23T04:02:28.577Z] ++ readonly CACHE_DIR=/var/lib/jenkins/workspace/Beats_beats_PR-20176/.git-references
[2020-07-23T04:02:28.577Z] ++ CACHE_DIR=/var/lib/jenkins/workspace/Beats_beats_PR-20176/.git-references
[2020-07-23T04:02:28.577Z] ++ declare -a cloned_git_repos
[2020-07-23T04:02:28.577Z] + retry 3 curl -sSLo codecov https://codecov.io/bash
[2020-07-23T04:02:28.577Z] + local retries=3
[2020-07-23T04:02:28.577Z] + shift
[2020-07-23T04:02:28.577Z] + local count=0
[2020-07-23T04:02:28.577Z] + curl -sSLo codecov https://codecov.io/bash
[2020-07-23T04:02:28.845Z] + return 0
[2020-07-23T04:02:28.845Z] + for i in '"$@"'
[2020-07-23T04:02:28.845Z] + FILE=auditbeat/build/coverage/full.cov
[2020-07-23T04:02:28.845Z] + '[' -f auditbeat/build/coverage/full.cov ']'
[2020-07-23T04:02:28.845Z] + for i in '"$@"'
[2020-07-23T04:02:28.845Z] + FILE=filebeat/build/coverage/full.cov
[2020-07-23T04:02:28.845Z] + '[' -f filebeat/build/coverage/full.cov ']'
[2020-07-23T04:02:28.845Z] + for i in '"$@"'
[2020-07-23T04:02:28.845Z] + FILE=heartbeat/build/coverage/full.cov
[2020-07-23T04:02:28.845Z] + '[' -f heartbeat/build/coverage/full.cov ']'
[2020-07-23T04:02:28.845Z] + for i in '"$@"'
[2020-07-23T04:02:28.845Z] + FILE=journalbeat/build/coverage/full.cov
[2020-07-23T04:02:28.845Z] + '[' -f journalbeat/build/coverage/full.cov ']'
[2020-07-23T04:02:28.845Z] + for i in '"$@"'
[2020-07-23T04:02:28.845Z] + FILE=libbeat/build/coverage/full.cov
[2020-07-23T04:02:28.845Z] + '[' -f libbeat/build/coverage/full.cov ']'
[2020-07-23T04:02:28.845Z] + for i in '"$@"'
[2020-07-23T04:02:28.845Z] + FILE=metricbeat/build/coverage/full.cov
[2020-07-23T04:02:28.845Z] + '[' -f metricbeat/build/coverage/full.cov ']'
[2020-07-23T04:02:28.845Z] + for i in '"$@"'
[2020-07-23T04:02:28.845Z] + FILE=packetbeat/build/coverage/full.cov
[2020-07-23T04:02:28.845Z] + '[' -f packetbeat/build/coverage/full.cov ']'
[2020-07-23T04:02:28.845Z] + for i in '"$@"'
[2020-07-23T04:02:28.845Z] + FILE=winlogbeat/build/coverage/full.cov
[2020-07-23T04:02:28.845Z] + '[' -f winlogbeat/build/coverage/full.cov ']'
[2020-07-23T04:02:30.014Z] Failed in branch Filebeat oss
[2020-07-23T04:02:30.158Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-20176/src/github.com/elastic/beats
[2020-07-23T04:02:30.474Z] + find . -type f -name TEST*.xml -path */build/* -delete
[2020-07-23T04:02:30.487Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-20176/src/github.com/elastic/beats/Lint
[2020-07-23T04:02:30.573Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-20176/src/github.com/elastic/beats/Filebeat-x-pack-Mac-OS-X
[2020-07-23T04:02:30.649Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-20176/src/github.com/elastic/beats/Filebeat-x-pack-Windows
[2020-07-23T04:02:30.726Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-20176/src/github.com/elastic/beats/Filebeat-Windows
[2020-07-23T04:02:30.804Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-20176/src/github.com/elastic/beats/Filebeat-Mac-OS-X
[2020-07-23T04:02:30.882Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-20176/src/github.com/elastic/beats/Filebeat-x-pack
[2020-07-23T04:02:30.983Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-20176/src/github.com/elastic/beats/Filebeat-oss
[2020-07-23T04:02:31.344Z] + cat
[2020-07-23T04:02:31.344Z] + /usr/local/bin/runbld ./runbld-script
[2020-07-23T04:02:31.344Z] Picked up JAVA_TOOL_OPTIONS: -Dfile.encoding=UTF8
[2020-07-23T04:02:37.951Z] runbld>>> runbld started
[2020-07-23T04:02:37.951Z] runbld>>> 1.6.12/f45d832f2ba0aa2722ab4ec1fda8ad140f027f8b
[2020-07-23T04:02:40.501Z] runbld>>> The following profiles matched the job 'Beats/beats/PR-20176' in order of occurrence in the config (last value wins).
[2020-07-23T04:02:41.458Z] runbld>>> Debug logging enabled.
[2020-07-23T04:02:41.458Z] runbld>>> Storing result
[2020-07-23T04:02:41.719Z] runbld>>> Store result: created {:total 2, :successful 2, :failed 0} 1
[2020-07-23T04:02:41.719Z] runbld>>> BUILD: https://c150076387b5421f9154dfbf536e5c60.us-west1.gcp.cloud.es.io:9243/build-1587637540455/t/20200723040241-E44F8C57
[2020-07-23T04:02:41.719Z] runbld>>> Adding system facts.
[2020-07-23T04:02:42.663Z] runbld>>> Adding vcs info for the latest commit:  b8e60bf7f071f25903361b58450d04827c1f6907
[2020-07-23T04:02:42.663Z] runbld>>> >>>>>>>>>>>> SCRIPT EXECUTION BEGIN >>>>>>>>>>>>
[2020-07-23T04:02:42.663Z] runbld>>> Adding /usr/lib/jvm/java-8-openjdk-amd64/bin to the path.
[2020-07-23T04:02:42.925Z] + echo 'Processing JUnit reports with runbld...'
[2020-07-23T04:02:42.925Z] Processing JUnit reports with runbld...
[2020-07-23T04:02:43.187Z] runbld>>> <<<<<<<<<<<< SCRIPT EXECUTION END <<<<<<<<<<<<
[2020-07-23T04:02:43.187Z] runbld>>> DURATION: 18ms
[2020-07-23T04:02:43.187Z] runbld>>> STDOUT: 40 bytes
[2020-07-23T04:02:43.187Z] runbld>>> STDERR: 49 bytes
[2020-07-23T04:02:43.187Z] runbld>>> WRAPPED PROCESS: SUCCESS (0)
[2020-07-23T04:02:43.187Z] runbld>>> Searching for build metadata in /var/lib/jenkins/workspace/Beats_beats_PR-20176/src/github.com/elastic/beats
[2020-07-23T04:02:44.578Z] runbld>>> Storing build metadata: 
[2020-07-23T04:02:44.578Z] runbld>>> Adding test report.
[2020-07-23T04:02:44.578Z] runbld>>> Searching for junit test output files with the pattern: TEST-.*\.xml$ in: /var/lib/jenkins/workspace/Beats_beats_PR-20176/src/github.com/elastic/beats
[2020-07-23T04:02:45.152Z] runbld>>> Found 13 test output files
[2020-07-23T04:02:46.540Z] runbld>>> Test output logs contained: Errors: 0 Failures: 19 Tests: 4951 Skipped: 661
[2020-07-23T04:02:46.803Z] runbld>>> Storing result
[2020-07-23T04:02:46.803Z] runbld>>> FAILURES: 19
[2020-07-23T04:02:51.021Z] runbld>>> Store result: updated {:total 2, :successful 2, :failed 0} 2
[2020-07-23T04:02:51.022Z] runbld>>> BUILD: https://c150076387b5421f9154dfbf536e5c60.us-west1.gcp.cloud.es.io:9243/build-1587637540455/t/20200723040241-E44F8C57
[2020-07-23T04:02:51.022Z] runbld>>> Email notification disabled by environment variable.
[2020-07-23T04:02:51.022Z] runbld>>> Slack notification disabled by environment variable.
[2020-07-23T04:02:56.578Z] Running on Jenkins in /var/lib/jenkins/workspace/Beats_beats_PR-20176
[2020-07-23T04:02:56.689Z] [INFO] getVaultSecret: Getting secrets
[2020-07-23T04:02:56.766Z] Masking supported pattern matches of $VAULT_ADDR or $VAULT_ROLE_ID or $VAULT_SECRET_ID
[2020-07-23T04:02:57.510Z] + chmod 755 generate-build-data.sh
[2020-07-23T04:02:57.510Z] + ./generate-build-data.sh https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats/PR-20176/ https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats/PR-20176/runs/2 FAILURE 3481174
[2020-07-23T04:02:57.510Z] INFO: curl https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats/PR-20176/runs/2/steps/?limit=10000 -o steps-info.json
[2020-07-23T04:02:58.061Z] INFO: curl https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats/PR-20176/runs/2/tests/?status=FAILED -o tests-errors.json
[2020-07-23T04:02:58.611Z] INFO: curl https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats/PR-20176/runs/2/log/ -o pipeline-log.txt

andrewkroh approved these changes

View reviewed changes

andrewstucki merged commit dee93b2 into elastic:7.x

zube bot added [zube]: Done and removed [zube]: In Review labels

zube bot removed the [zube]: Done label

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels