[Filebeat] Fix checkpoint (elastic#21344)

* fix checkpoint @timestamp already exists * Fix checkpoint @timestamp already existing, test logs * testfile * Updated CHANGELOG * fix ASCIIDOC * remove timestamp renaming since it produced strange error messages about too much compiled scrips * reenable tiemestamp rename * move comment in asciidoc to bugfixes * move comment in asciidoc to bugfixes * fix asciidoc * fix asciidoc * fix tes log * remove empty lines * Fix pipeline and re generate test files * Reorder changelog entry Co-authored-by: bernhard.fluehmann <bernhard.fluehmann@realstuff.ch> (cherry picked from commit 452c6d2)
marc-gr · Sep 29, 2020 · 4369c25 · 4369c25
1 parent 1c94c6d
commit 4369c25
Show file tree

Hide file tree

Showing 5 changed files with 171 additions and 108 deletions.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -296,6 +296,7 @@ field. You can revert this change by configuring tags for the module and omittin
 - Fix error when processing AWS Cloudtrail Digest logs. {pull}21086[21086] {issue}20943[20943]
 - Provide backwards compatibility for the `set` processor when Elasticsearch is less than 7.9.0. {pull}20908[20908]
 - Provide backwards compatibility for the `append` processor when Elasticsearch is less than 7.10.0. {pull}21159[21159]
+- Fix checkpoint module when logs contain time field. {pull}20567[20567]
 
 *Heartbeat*
 

diff --git a/x-pack/filebeat/module/checkpoint/firewall/ingest/pipeline.yml b/x-pack/filebeat/module/checkpoint/firewall/ingest/pipeline.yml
@@ -40,10 +40,14 @@ processors:
     - message
     - host
     ignore_missing: true
-- set:
-    field: '@timestamp'
-    value: '{{syslog5424_ts}}'
-    if: ctx.checkpoint?.time == null
+- rename:
+    field: "@timestamp"
+    target_field: "event.created"
+    ignore_missing: true
+- date:
+    field: "syslog5424_ts"
+    formats: ["ISO8601", "UNIX"]
+    if: "ctx.checkpoint?.time == null"
 - set:
     field: event.module
     value: checkpoint
@@ -578,10 +582,10 @@ processors:
     field: checkpoint.industry_reference
     target_field: vulnerability.id
     ignore_missing: true
-- rename:
-    field: checkpoint.time
-    target_field: '@timestamp'
-    ignore_missing: true
+- date:
+    field: "checkpoint.time"
+    formats: ["ISO8601", "UNIX"]
+    if: "ctx.checkpoint?.time != null"
 - rename:
     field: checkpoint.message
     target_field: message
@@ -795,6 +799,7 @@ processors:
     - checkpoint.xlatesrc
     - checkpoint.xlatedst
     - checkpoint.uid
+    - checkpoint.time
     - syslog5424_ts
     ignore_missing: true
 on_failure: