x-pack/filebeat/processors/decode_cef - Fix ECS observer.ip

Fix the ECS output format by making `observer.ip` into an array of strings instead of string. Fixes #35140
elastic · Apr 20, 2023 · 2078b45 · 2078b45
1 parent b47e4fd
commit 2078b45
Show file tree

Hide file tree

Showing 3 changed files with 25 additions and 7 deletions.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -111,6 +111,7 @@ https://github.com/elastic/beats/compare/v8.2.0\...main[Check the HEAD diff]
 - Correctly collect TCP and UDP metrics for unspecified address values. {pull}35111[35111]
 - Fix base for UDP and TCP queue metrics and UDP drops metric. {pull}35123[35123]
 - Sanitize filenames for request tracer in httpjson and cel inputs. {pull}35143[35143]
+- decode_cef processor: Fix ECS output by making `observer.ip` into an array of strings instead of string. {issue}35140[35140] {pull}35149[35149]
 
 *Heartbeat*
 

diff --git a/x-pack/filebeat/processors/decode_cef/keys.ecs.go b/x-pack/filebeat/processors/decode_cef/keys.ecs.go
@@ -60,7 +60,12 @@ var ecsExtensionMapping = map[string]mappedField{
 	"destinationUserName":          {Target: "destination.user.name"},
 	"destinationUserPrivileges":    {Target: "destination.user.group.name"},
 	"deviceAction":                 {Target: "event.action"},
-	"deviceAddress":                {Target: "observer.ip"},
+	"deviceAddress": {
+		Target: "observer.ip",
+		Translate: func(in *cef.Field) (interface{}, error) {
+			return []string{in.String}, nil
+		},
+	},
 	"deviceDirection": {
 		Target: "network.direction",
 		Translate: func(in *cef.Field) (interface{}, error) {

diff --git a/x-pack/filebeat/processors/decode_cef/testdata/samples.log.golden.json b/x-pack/filebeat/processors/decode_cef/testdata/samples.log.golden.json
@@ -173,7 +173,9 @@
     },
     "message": "AppControl detectOnly",
     "observer": {
-      "ip": "192.168.33.128",
+      "ip": [
+        "192.168.33.128"
+      ],
       "product": "Deep Security Agent",
       "vendor": "Trend Micro",
       "version": "10.2.229"
@@ -1028,7 +1030,9 @@
     },
     "observer": {
       "hostname": "super",
-      "ip": "111.111.111.99",
+      "ip": [
+        "111.111.111.99"
+      ],
       "product": "ASA",
       "vendor": "CISCO"
     },
@@ -1106,7 +1110,9 @@
     "message": "File Opened",
     "observer": {
       "hostname": "VirtualXP",
-      "ip": "192.168.131.65",
+      "ip": [
+        "192.168.131.65"
+      ],
       "product": "ArcSight",
       "vendor": "ArcSight",
       "version": "7.0.5.7132.1"
@@ -1174,7 +1180,9 @@
     "message": "Agent [NAT] type [sdkrfilereader] started",
     "observer": {
       "hostname": "VirtualXP",
-      "ip": "192.168.0.65",
+      "ip": [
+        "192.168.0.65"
+      ],
       "product": "ArcSight",
       "vendor": "ArcSight",
       "version": "7.0.5.7132.1"
@@ -1235,7 +1243,9 @@
     "message": "File processing started",
     "observer": {
       "hostname": "VirtualXP",
-      "ip": "192.168.131.65",
+      "ip": [
+        "192.168.131.65"
+      ],
       "product": "ArcSight",
       "vendor": "ArcSight",
       "version": "7.0.5.7132.1"
@@ -1304,7 +1314,9 @@
     "message": "Process Stopped by User",
     "observer": {
       "hostname": "VirtualXP",
-      "ip": "192.168.131.65",
+      "ip": [
+        "192.168.131.65"
+      ],
       "product": "ArcSight",
       "vendor": "ArcSight",
       "version": "7.0.5.7132.1"