feature/qualys-was-13569

Adds original event tag if there is an error

Author: StacieClark-Elastic

packages/qualys_was/data_stream/vulnerability/elasticsearch/ingest_pipeline/default.yml

@@ -4,7 +4,7 @@ processors:
  - rename:
  field: message
  target_field: event.original
- if: 'ctx.event?.original == null'
+ if: ctx.event?.original == null
  description: 'Renames the original `message` field to `event.original` to store a copy of the original message.'
  on_failure:
  - append:
@@ -13,7 +13,7 @@ processors:
  - remove:
  field: message
  ignore_missing: true
- if: 'ctx.event?.original != null'
+ if: ctx.event?.original != null
  description: 'The `message` field is no longer required if the document has an `event.original` field.'
  - set:
  if: ctx['@timestamp'] != null
@@ -320,12 +320,17 @@ processors:
  tag: pipeline_knowledge_base
  ignore_missing_pipeline: true
 on_failure:
- - set:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}}
+ in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - set:
  field: event.kind
  value: pipeline_error
- - append:
- field: error.message
- value: >-
- Processor '{{ _ingest.on_failure_processor_type }}'
- {{#_ingest.on_failure_processor_tag}}with tag '{{ _ingest.on_failure_processor_tag }}'
- {{/_ingest.on_failure_processor_tag}}failed with message '{{ _ingest.on_failure_message }}'
+ tag: set_pipeline_error_to_event_kind
+ if: ctx.error?.message != null
+ - append:
+ field: tags
+ value: preserve_original_event
+ allow_duplicates: false
+ if: ctx.error?.message != null