Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Decode_cef Processor needs to set observer.ip as array #35140

Closed
P1llus opened this issue Apr 20, 2023 · 1 comment · Fixed by #35149
Closed

Decode_cef Processor needs to set observer.ip as array #35140

P1llus opened this issue Apr 20, 2023 · 1 comment · Fixed by #35149
Assignees
@chemamartinez
Labels
enhancement

Comments

@P1llus
Copy link
Member

P1llus commented Apr 20, 2023

According to the ECS schema, observer.ip needs to be an array: https://www.elastic.co/guide/en/ecs/8.7/ecs-observer.html#field-observer-ip

However the decode_cef processor sets this as a string, and it makes integrations that uses the processor fail system tests once the format_version is bumped to a newer version.

Decode_cef Processor is here: https://github.com/elastic/beats/tree/main/x-pack/filebeat/processors/decode_cef, we should locate the code that sets observer.ip and ensure its an array ([]string).
@elasticmachine
Copy link
Collaborator

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

@andrewkroh andrewkroh mentioned this issue Apr 20, 2023
Merged
6 tasks
andrewkroh added a commit to andrewkroh/beats that referenced this issue Apr 20, 2023
@andrewkroh
x-pack/filebeat/processors/decode_cef - Fix ECS observer.ip
2078b45 
Fix the ECS output format by making `observer.ip` into an array of strings
instead of string.

Fixes elastic#35140
andrewkroh added a commit that referenced this issue Apr 20, 2023
@andrewkroh
x-pack/filebeat/processors/decode_cef - Fix ECS observer.ip (#35149)
35b2dca 
Fix the ECS output format by making `observer.ip` into an array of strings
instead of string.

Fixes #35140
andrewkroh added a commit that referenced this issue Apr 21, 2023
@andrewkroh
x-pack/filebeat/processors/decode_cef - Fix ECS observer.ip (#35149)
ba97c37 
Fix the ECS output format by making `observer.ip` into an array of strings
instead of string.

Fixes #35140

(cherry picked from commit 35b2dca)
andrewkroh added a commit that referenced this issue Apr 21, 2023
@mergify @andrewkroh
x-pack/filebeat/processors/decode_cef - Fix ECS observer.ip (#35149) (#…
05291f4 
…35161)

Fix the ECS output format by making `observer.ip` into an array of strings
instead of string.

Fixes #35140

(cherry picked from commit 35b2dca)

Co-authored-by: Andrew Kroh <andrew.kroh@elastic.co>
chrisberkhout pushed a commit that referenced this issue Jun 1, 2023
@andrewkroh @chrisberkhout
x-pack/filebeat/processors/decode_cef - Fix ECS observer.ip (#35149)
5403a86 
Fix the ECS output format by making `observer.ip` into an array of strings
instead of string.

Fixes #35140
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@chemamartinez chemamartinez

Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

x-pack/filebeat/processors/decode_cef - Fix ECS observer.ip andrewkroh/beats
3 participants
@P1llus @elasticmachine @chemamartinez