Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

filebeat/module/cef: import genericised cef dashboards from integrations #32766

Merged
merged 6 commits into from
Aug 24, 2022
Merged

filebeat/module/cef: import genericised cef dashboards from integrations #32766

merged 6 commits into from
Aug 24, 2022

Conversation

efd6
Copy link
Contributor

@efd6 efd6 commented Aug 23, 2022

What does this PR do?

This adds the dashboards that exist in the CEF integration to the CEF module in filebeat.

Why is it important?

The existing dashboards do not work in the general case as they were originally written against the ArcSight fields that the original module worked with.

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works
  • I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Author's Checklist

  • Query how to deal with the existing kibana/7 dashboards.

How to test this PR locally

Related issues

Use cases

Screenshots

See screenshots in elastic/integrations#3526.

Logs

@efd6 efd6 added enhancement Filebeat Filebeat Team:Security-External Integrations backport-skip Skip notification from the automated backport with mergify 8.5 candidate labels Aug 23, 2022
@efd6 efd6 self-assigned this Aug 23, 2022
@botelastic botelastic bot added needs_team Indicates that the issue/PR needs a Team:* label and removed needs_team Indicates that the issue/PR needs a Team:* label labels Aug 23, 2022
@elasticmachine
Copy link
Collaborator

elasticmachine commented Aug 23, 2022
edited by jenkins-beats-ci bot
Loading

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS
Pipeline View Test View Changes Artifacts preview preview

Expand to view the summary

Build stats

  • Start Time: 2022-08-24T00:46:56.997+0000

  • Duration: 86 min 58 sec

Test stats 🧪

Test Results
Failed 0
Passed 2201
Skipped 166
Total 2367

💚 Flaky test report

Tests succeeded.

🤖 GitHub comments

To re-run your PR in the CI, just comment with:

  • /test : Re-trigger the build.

  • /package : Generate the packages and run the E2E tests.

  • /beats-tester : Run the installation tests with beats-tester.

  • run elasticsearch-ci/docs : Re-trigger the docs validation. (use unformatted text in the comment!)

@efd6
Copy link
Contributor Author

efd6 commented Aug 23, 2022

jitterbit/get-changed-files#4

@efd6 efd6 marked this pull request as ready for review August 23, 2022 03:51
@efd6 efd6 requested a review from a team as a code owner August 23, 2022 03:51
@elasticmachine
Copy link
Collaborator

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

@mergify
Copy link
Contributor

mergify bot commented Aug 23, 2022

This pull request is now in conflicts. Could you fix it? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b i3469-cef upstream/i3469-cef
git merge upstream/main
git push upstream i3469-cef

andrewkroh
andrewkroh requested changes Aug 23, 2022
View reviewed changes
Copy link
Member

@andrewkroh andrewkroh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the dashboards require some changes to work with Beats.

  • Beats uses event.dataset instead of data_stream.dataset.
  • The index pattern is filebeat-* rather than logs-*.
  • Are the object IDs the same as what's in the Fleet integration? We should make them unique to prevent collisions Kibana with Fleets saved objects.

@efd6
Copy link
Contributor Author

efd6 commented Aug 24, 2022
edited
Loading

I have deconflicted the object IDs with clonedash (second commit) and the index patterns have been adjusted (last commit). I'll look into the data_stream.dataset => event.dataset.

What may still be an issue is that the beats dashboards have version and updated_at fields which I clobbered when I used clonedash. This can be repaired by passaging through filebeat export again.

@efd6
repassage dashboards through filebeat export
f6f6352 
1. upload to 8.3.3 kibana as an integration assets bundle
2. filebeat export dashboard
@efd6 efd6 merged commit 28a2c7f into elastic:main Aug 24, 2022
chrisberkhout pushed a commit that referenced this pull request Jun 1, 2023
@efd6 @chrisberkhout
filebeat/module/cef: import genericised cef dashboards from integrati…
cf3b48d 
…ons (#32766)

Used clonedash to construct new identifiers, then adjusted title formats,
index patterns and query targets. Added the dashboard assets from the
integrations config page on kibana and then exported with filebeat export
dashboard.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@andrewkroh andrewkroh andrewkroh approved these changes

Assignees

@efd6 efd6

Labels
8.5 candidate backport-skip Skip notification from the automated backport with mergify enhancement Filebeat Filebeat
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

cef: make dashboard work with CEF standard inputs
3 participants
@efd6 @elasticmachine @andrewkroh