Merge remote-tracking branch 'upstream/main' into feature/ironbank-au…

…tomation

* upstream/main:
  [main](backport elastic#32235) docs: Prepare Changelog for 8.3.2 (elastic#32253)
  Revert "Fix flags for dev build (elastic#31955)" (elastic#32250)
  [Automation] Update elastic stack version to 8.4.0-d0a4da44 for testing (elastic#32243)
  x-pack/filebeat/module/cisco: fix handling of user parsing with sgt fields (elastic#32196)
  packetbeat/route: make use of newly added GetBestInterfaceEx in x/sys/windows (elastic#32180)

CHANGELOG-developer.next.asciidoc

@@ -75,7 +75,6 @@ The list below covers the major changes between 7.0.0-rc2 and main only.
 - Avoid panicking in `add_fields` processor when input event.Fields is a nil map. {pull}28219[28219]
 - Drop event batch when get HTTP status 413 from Elasticsearch to avoid infinite loop {issue}14350[14350] {pull}29368[29368]
 - Allow to use metricbeat for named mssql instances. {issue}24076[24076] {pull}30859[30859]
-- Setting DEV=true when running `mage build` now correctly generates binaries without optimisations and with debug symbols {pull}31955[31955]
 
 ==== Added
 

CHANGELOG.asciidoc

@@ -3,6 +3,33 @@
 :issue: https://github.com/elastic/beats/issues/
 :pull: https://github.com/elastic/beats/pull/
 
+[[release-notes-8.3.2]]
+=== Beats version 8.3.2
+https://github.com/elastic/beats/compare/v8.3.1\...v8.3.2[View commits]
+
+==== Bugfixes
+
+*Filebeat*
+- Fix handling of stale log message handling in the winlog input {issue}32168[32168] {pull}32176[32176]
+
+*Heartbeat*
+
+- Fix regression where we write a dotted (non-nested) key `event.type`. {pull}32097[32097]
+
+*Metricbeat*
+
+- Fix for unintentionally reporting the libbeat "handles" metrics under "system" instead of "beat" as they were in previous releases. https://github.com/elastic/elastic-agent-system-metrics/pull/37[system-metrics#37]
+
+*Winlogbeat*
+
+- Fix handling of stale log message handling {issue}32168[32168] {pull}32176[32176]
+
+==== Added
+
+*Metricbeat*
+
+- Differentiate between actual idle CPU states and an uninterruptible disk sleep. https://github.com/elastic/elastic-agent-system-metrics/pull/32[system-metrics#32]
+
 [[release-notes-8.3.1]]
 === Beats version 8.3.1
 https://github.com/elastic/beats/compare/v8.3.0\...v8.3.1[View commits]
@@ -13,6 +40,10 @@ https://github.com/elastic/beats/compare/v8.3.0\...v8.3.1[View commits]
 
 - Improve syslog parser/processor error handling. {issue}31246[31246] {pull}31798[31798]
 
+*Auditbeat*
+
+- Fix handling of audit status messages for modern kernels with reduced audit message feature support. {issue}31616[31616] {pull}32141[32141]
+
 *Filebeat*
 
 - Fix handling and mapping of syslog priority, facility and severity values in Cisco module. {pull}32025[32025]
@@ -42,7 +73,6 @@ https://github.com/elastic/beats/compare/v8.2.3\...v8.3.0[View commits]
 - Fix MISP documentation for `var.filters` config option. {pull}31434[31434]
 - Fix type mapping of client.as.number in okta module. {pull}31676[31676]
 - If a file is ignored by `filestream` because of ignore_older settings, when it is updated, only the new lines are shipped to the output. {issue}31924[31924] {pull}31972[31972]
-- Fix handling of stale log message handling in the winlog input {issue}32168[32168] {pull}32176[32176]
 
 *Heartbeat*
 
@@ -57,7 +87,6 @@ https://github.com/elastic/beats/compare/v8.2.3\...v8.3.0[View commits]
 *Winlogbeat*
 
 - Sysmon: Drop fields with "-" value (unset) {pull}31556[31556]
-- Fix handling of stale log message handling {issue}32168[32168] {pull}32176[32176]
 
 ==== Added
 

CHANGELOG.next.asciidoc

@@ -45,11 +45,11 @@ https://github.com/elastic/beats/compare/v8.2.0\...main[Check the HEAD diff]
 
 *Filebeat*
 
+- cisco/asa: fix handling of user names when there are Security Group Tags present. {issue}32009[32009] {pull}32196[32196]
 
 *Heartbeat*
 
 - Send targetted error message for unexpected synthetics exits. {pull}31936[31936]
-- Fix regression where we write a dotted (non-nested) key `event.type`. {pull}32097[32097]
 
 *Metricbeat*
 
@@ -111,7 +111,6 @@ https://github.com/elastic/beats/compare/v8.2.0\...main[Check the HEAD diff]
 - Enhance Oracle Module: Connection string for Oracle does not handle special characters properly {issue}24609[24609] {pull}31368[#31368]
 - Enhance Oracle Module: New sysmetric metricset {issue}30946[30946] {pull}31462[#31462]
 - Upgrade Mongodb library in Beats to v5 {pull}31185[31185]
-* Differentiate between actual idle CPU states and an uninterruptible disk sleep. https://github.com/elastic/elastic-agent-system-metrics/pull/32[system-metrics#32]
 
 *Packetbeat*
 
@@ -158,3 +157,6 @@ https://github.com/elastic/beats/compare/v8.2.0\...main[Check the HEAD diff]
 
 
 
+
+
+

NOTICE.txt

@@ -17431,11 +17431,11 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
 --------------------------------------------------------------------------------
 Dependency : golang.org/x/sys
-Version: v0.0.0-20220520151302-bc2c85ada10a
+Version: v0.0.0-20220702020025-31831981b65f
 Licence type (autodetected): BSD-3-Clause
 --------------------------------------------------------------------------------
 
-Contents of probable licence file $GOMODCACHE/golang.org/x/sys@v0.0.0-20220520151302-bc2c85ada10a/LICENSE:
+Contents of probable licence file $GOMODCACHE/golang.org/x/sys@v0.0.0-20220702020025-31831981b65f/LICENSE:
 
 Copyright (c) 2009 The Go Authors. All rights reserved.
 

dev-tools/mage/build.go

@@ -67,7 +67,7 @@ func DefaultBuildArgs() BuildArgs {
 
 	if DevBuild {
 		// Disable optimizations (-N) and inlining (-l) for debugging.
-		args.ExtraFlags = append(args.ExtraFlags, `-gcflags=all=-N -l`)
+		args.ExtraFlags = append(args.ExtraFlags, `-gcflags`, `"all=-N -l"`)
 	} else {
 		// Strip all debug symbols from binary (does not affect Go stack traces).
 		args.LDFlags = append(args.LDFlags, "-s")

filebeat/docs/fields.asciidoc

@@ -21459,6 +21459,16 @@ type: keyword
 
 --
 
+*`cisco.asa.source_user_security_group_tag`*::
++
+--
+The Security Group Tag for the source user. Security Group Tag are 16-bit identifiers used to represent logical group privilege.
+
+
+type: long
+
+--
+
 *`cisco.asa.destination_username`*::
 +
 --
@@ -21469,6 +21479,16 @@ type: keyword
 
 --
 
+*`cisco.asa.destination_user_security_group_tag`*::
++
+--
+The Security Group Tag for the destination user. Security Group Tag are 16-bit identifiers used to represent logical group privilege.
+
+
+type: long
+
+--
+
 *`cisco.asa.mapped_source_ip`*::
 +
 --

go.mod

@@ -138,7 +138,7 @@ require (
 	golang.org/x/net v0.0.0-20220225172249-27dd8689420f
 	golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8
 	golang.org/x/sync v0.0.0-20220513210516-0976fa681c29
-	golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a
+	golang.org/x/sys v0.0.0-20220702020025-31831981b65f
 	golang.org/x/text v0.3.7
 	golang.org/x/time v0.0.0-20210723032227-1f47c861a9ac
 	golang.org/x/tools v0.1.9

go.sum

@@ -2103,8 +2103,9 @@ golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220209214540-3681064d5158/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220405052023-b1e9470b6e64/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220412211240-33da011f77ad/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a h1:dGzPydgVsqGcTRVwiLJ1jVbufYwmzD3LfVPLKsKg+0k=
 golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220702020025-31831981b65f h1:xdsejrW/0Wf2diT5CPp3XmKUNbr7Xvw8kYilQ+6qjRY=
+golang.org/x/sys v0.0.0-20220702020025-31831981b65f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210220032956-6a3ed077a48d/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=

libbeat/docs/release.asciidoc

@@ -8,6 +8,7 @@ This section summarizes the changes in each release. Also read
 <<breaking-changes>> for more detail about changes that affect
 upgrade.
 
+* <<release-notes-8.3.2>>
 * <<release-notes-8.3.1>>
 * <<release-notes-8.3.0>>
 * <<release-notes-8.2.3>>

packetbeat/route/route_windows.go

@@ -15,184 +15,77 @@
 // specific language governing permissions and limitations
 // under the License.
 
-//nolint:unused,structcheck // How many ways to check for unused? (╯°□°）╯︵ ┻━┻ Fields kept for documentation.
 package route
 
 import (
 	"errors"
 	"runtime"
-	"syscall"
 	"unsafe"
 
 	"golang.org/x/sys/windows"
 )
 
-var (
-	// For details of the APIs used, see:
-	// https://docs.microsoft.com/en-us/windows/win32/api/iphlpapi/nf-iphlpapi-getbestinterfaceex
-	// https://docs.microsoft.com/en-us/windows/win32/api/iphlpapi/nf-iphlpapi-getadaptersaddresses
-	libiphlpapi          = windows.NewLazySystemDLL("Iphlpapi.dll")
-	getBestInterfaceEx   = libiphlpapi.NewProc("GetBestInterfaceEx")
-	getAdaptersAddresses = libiphlpapi.NewProc("GetAdaptersAddresses")
-)
-
 // Default returns the interface and netstat device index of the network interface
 // used for the first identified default route for the specified address family.
 // Valid values for af are syscall.AF_INET and syscall.AF_INET6. The iface name
 // returned will include only the GUID of the device.
 func Default(af int) (name string, index int, err error) {
+	var family windows.Sockaddr
 	switch af {
-	case windows.AF_INET, windows.AF_INET6:
+	case windows.AF_INET:
+		family = &windows.SockaddrInet4{}
+	case windows.AF_INET6:
+		family = &windows.SockaddrInet6{}
 	default:
 		return "", -1, errors.New("invalid family")
 	}
 
-	type sockaddr struct {
-		Family uint16
-		_      [26]byte
-	}
-
 	var idx uint32
-	family := &sockaddr{Family: uint16(af)}
-	ret, _, err := getBestInterfaceEx.Call(uintptr(unsafe.Pointer(family)), uintptr(unsafe.Pointer(&idx)))
+	err = windows.GetBestInterfaceEx(family, &idx)
 	runtime.KeepAlive(family)
-	if ret != windows.NO_ERROR {
-		if syscall.Errno(ret) == windows.ERROR_NOT_FOUND {
-			err = ErrNotFound
-		}
+	switch err { //nolint:errorlint // These are errno errors.
+	case nil, windows.ERROR_SUCCESS:
+	case windows.ERROR_NOT_FOUND:
+		return "", -1, ErrNotFound
+	default:
 		return "", -1, err
 	}
 
+	var addresses *windows.IpAdapterAddresses
 	const (
 		workingBufferSize = 15000
 		maxTries          = 3
 	)
-	var buf []byte
-	outBufLen := workingBufferSize
+	outBufLen := uint32(workingBufferSize)
 loop:
 	for i := 0; i < maxTries; i++ {
-		buf = make([]byte, outBufLen)
-		ret, _, err = getAdaptersAddresses.Call(uintptr(af), 0, 0, uintptr(unsafe.Pointer(&buf[0])), uintptr(unsafe.Pointer(&outBufLen)))
+		buf := make([]byte, outBufLen)
+		addresses = (*windows.IpAdapterAddresses)(unsafe.Pointer(&buf[0]))
+		err = windows.GetAdaptersAddresses(uint32(af), 0, 0, addresses, &outBufLen)
 		runtime.KeepAlive(outBufLen)
-		switch syscall.Errno(ret) {
+		switch err { //nolint:errorlint // These are errno errors.
+		case nil, windows.ERROR_SUCCESS:
+			break loop
 		case windows.ERROR_BUFFER_OVERFLOW:
 			continue
-		case windows.NO_ERROR:
-			break loop
 		case windows.ERROR_NO_DATA:
 			return "", -1, ErrNotFound
 		default:
 			return "", -1, err
 		}
 	}
 
-	addresses := (*ipAdapterAddressesLH)(unsafe.Pointer(&buf[0]))
-	for ; addresses != nil; addresses = addresses.next {
+	for ; addresses != nil; addresses = addresses.Next {
 		switch af {
 		case windows.AF_INET:
-			if addresses.ifIndex != 0 && addresses.ifIndex == idx {
-				return windows.BytePtrToString(addresses.adapterName), int(idx), nil
+			if addresses.IfIndex != 0 && addresses.IfIndex == idx {
+				return windows.BytePtrToString(addresses.AdapterName), int(idx), nil
 			}
 		case windows.AF_INET6:
-			if addresses.ipv6IfIndex != 0 && addresses.ipv6IfIndex == idx {
-				return windows.BytePtrToString(addresses.adapterName), int(idx), nil
+			if addresses.Ipv6IfIndex != 0 && addresses.Ipv6IfIndex == idx {
+				return windows.BytePtrToString(addresses.AdapterName), int(idx), nil
 			}
 		}
 	}
 	return "", -1, ErrNotFound
 }
-
-// https://docs.microsoft.com/en-us/windows/win32/api/ipexport/ns-ipexport-ip_interface_info
-type ipInterfaceInfo struct {
-	numAdapters int32
-	adapter     ipAdapterIndexMap
-}
-
-// https://docs.microsoft.com/en-us/windows/win32/api/ipexport/ns-ipexport-ip_adapter_index_map
-type ipAdapterIndexMap struct {
-	index uint32
-	name  [maxAdapterName]uint16
-}
-
-// https://doxygen.reactos.org/d3/d8d/ipexport_8h_source.html#l00143
-const maxAdapterName = 128
-
-// https://docs.microsoft.com/en-us/windows/win32/api/iptypes/ns-iptypes-ip_adapter_addresses_lh
-type ipAdapterAddressesLH struct {
-	length                 uint32
-	ifIndex                uint32
-	next                   *ipAdapterAddressesLH
-	adapterName            *byte
-	firstUnicastAddress    *windows.IpAdapterUnicastAddress
-	firstAnycastAddress    *windows.IpAdapterAnycastAddress
-	firstMulticastAddress  *windows.IpAdapterMulticastAddress
-	firstDnsServerAddress  *windows.IpAdapterDnsServerAdapter
-	dnsSuffix              *uint16
-	description            *uint16
-	friendlyName           *uint16
-	physicalAddress        [syscall.MAX_ADAPTER_ADDRESS_LENGTH]byte
-	physicalAddressLength  uint32
-	flags                  uint32
-	mtu                    uint32
-	ifType                 uint32
-	operStatus             uint32
-	ipv6IfIndex            uint32
-	zoneIndices            [16]uint32
-	firstPrefix            *windows.IpAdapterPrefix
-	transmitLinkSpeed      uint64
-	receiveLinkSpeed       uint64
-	firstWinsServerAddress *ipAdapterWinsServerAddressLH
-	firstGatewayAddress    *ipAdapterGatewayAddressLH
-	ipv4Metric             uint32
-	ipv6Metric             uint32
-	luid                   uint64
-	dhcpv4Server           socketAddress
-	compartmentId          uint32
-	networkGuid            guid
-	connectionType         uint32
-	tunnelType             uint32
-	dhcpv6Server           socketAddress
-	dhcpv6ClientDuid       [maxDHCPv6DUIDLength]byte
-	dhcpv6ClientDuidLength uint32
-	dhcpv6Iaid             uint32
-	firstDnsSuffix         *ipAdapterDNSSuffix
-}
-
-// https://doxygen.reactos.org/d2/d14/iptypes_8h_source.html#l00176
-type ipAdapterWinsServerAddressLH struct {
-	alignment uint64
-	next      *ipAdapterWinsServerAddressLH
-	address   socketAddress
-}
-
-// https://doxygen.reactos.org/d2/d14/iptypes_8h_source.html#l00190
-type ipAdapterGatewayAddressLH struct {
-	alignment uint64
-	next      *ipAdapterGatewayAddressLH
-	address   socketAddress
-}
-
-// https://doxygen.reactos.org/d8/d15/scsiwmi_8h_source.html#l00050
-type guid struct {
-	data1 uint32
-	data2 uint16
-	data3 uint16
-	data4 [8]byte
-}
-
-// https://doxygen.reactos.org/d1/db0/ws2def_8h_source.html#l00374
-type socketAddress struct {
-	lpSockaddr      int32
-	iSockaddrLength int32
-}
-
-// https://doxygen.reactos.org/d2/d14/iptypes_8h_source.html#l00204
-type ipAdapterDNSSuffix struct {
-	next   *ipAdapterDNSSuffix
-	string [maxDNSSuffixStringLength]uint16
-}
-
-const (
-	maxDHCPv6DUIDLength      = 130 // https://doxygen.reactos.org/d2/d14/iptypes_8h_source.html#l00033
-	maxDNSSuffixStringLength = 256 // https://doxygen.reactos.org/d2/d14/iptypes_8h_source.html#l00034
-)