Skip to content

zscaler_zia: Use source.nat.ip as an alternate for geo IPs in firewall and web logs. #12356

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
kcreddy merged 0 commits into from
Jan 17, 2025
Merged

zscaler_zia: Use source.nat.ip as an alternate for geo IPs in firewall and web logs. #12356

kcreddy merged 0 commits into from
Jan 17, 2025

Conversation

@kcreddy
Copy link
Contributor

@kcreddy kcreddy commented Jan 15, 2025
edited
Loading

Proposed commit message

Users may have private IPs inside source.ip which prevents geo fields from getting populated.
This PR:

  • Uses source.nat.ip as an alternate for populating geo fields if not already populated by source.ip.
  • Removes processor explicitly populating geo.country_name as it is added by geoip processor.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

How to test this PR locally

cd packages/zscaler_zia && elastic-package build && elastic-package stack up --version=8.13.0 -d -v && eval "$(elastic-package stack shellinit)" && elastic-package test pipeline --generate -v

--- Test results for package: zscaler_zia - START --- ╭─────────────┬─────────────┬───────────┬────────────────────────────────────────────────────────────┬────────┬──────────────╮ │ PACKAGE │ DATA STREAM │ TEST TYPE │ TEST NAME │ RESULT │ TIME ELAPSED │ ├─────────────┼─────────────┼───────────┼────────────────────────────────────────────────────────────┼────────┼──────────────┤ │ zscaler_zia │ firewall │ pipeline │ (ingest pipeline warnings test-firewall-http-endpoint.log) │ PASS │ 348.205541ms │ │ zscaler_zia │ firewall │ pipeline │ (ingest pipeline warnings test-firewall.log) │ PASS │ 333.986667ms │ │ zscaler_zia │ firewall │ pipeline │ (ingest pipeline warnings test-unicode.json) │ PASS │ 372.179208ms │ │ zscaler_zia │ firewall │ pipeline │ test-firewall-http-endpoint.log │ PASS │ 94.69425ms │ │ zscaler_zia │ firewall │ pipeline │ test-firewall.log │ PASS │ 88.065417ms │ │ zscaler_zia │ firewall │ pipeline │ test-unicode.json │ PASS │ 65.712959ms │ ╰─────────────┴─────────────┴───────────┴────────────────────────────────────────────────────────────┴────────┴──────────────╯ --- Test results for package: zscaler_zia - END --- Done

Related issues

Screenshots
@kcreddy kcreddy self-assigned this Jan 15, 2025
@kcreddy kcreddy added enhancement New feature or request bugfix Pull request that fixes a bug issue Integration:zscaler_zia Zscaler Internet Access Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] and removed enhancement New feature or request labels Jan 15, 2025
@kcreddy kcreddy marked this pull request as ready for review January 15, 2025 11:39
@kcreddy kcreddy requested a review from a team as a code owner January 15, 2025 11:39
@elasticmachine
Copy link

elasticmachine commented Jan 15, 2025

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)
@elastic-vault-github-plugin-prod
Copy link

elastic-vault-github-plugin-prod bot commented Jan 15, 2025

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport
@elasticmachine
Copy link

elasticmachine commented Jan 15, 2025

💚 Build Succeeded

cc @kcreddy
@elastic-sonarqube
Copy link

elastic-sonarqube bot commented Jan 15, 2025

Quality Gate passed Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
53.3% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube
@kcreddy kcreddy merged commit 6e46d8b into elastic:main Jan 17, 2025
5 checks passed
@kcreddy kcreddy deleted the zscaler_zia-ips branch January 17, 2025 09:34
@elastic-vault-github-plugin-prod
Copy link

elastic-vault-github-plugin-prod bot commented Jan 17, 2025

Package zscaler_zia - 3.6.3 containing this change is available at https://epr.elastic.co/package/zscaler_zia/3.6.3/
harnish-crest-data pushed a commit to chavdaharnish/integrations that referenced this pull request Feb 4, 2025
@kcreddy
zscaler_zia: Use source.nat.ip as an alternate for geo IPs in `fire…
57d384c 
…wall` and `web` logs. (elastic#12356) Users may have private IPs inside `source.ip` which prevents `geo` fields from getting populated. This PR: - Uses `source.nat.ip` as an alternate for populating `geo` fields if not already populated by `source.ip`. - Removes processor explicitly populating `geo.country_name` as it is added by `geoip` processor.
harnish-crest-data pushed a commit to chavdaharnish/integrations that referenced this pull request Feb 5, 2025
@kcreddy
zscaler_zia: Use source.nat.ip as an alternate for geo IPs in `fire…
5c739c7 
…wall` and `web` logs. (elastic#12356) Users may have private IPs inside `source.ip` which prevents `geo` fields from getting populated. This PR: - Uses `source.nat.ip` as an alternate for populating `geo` fields if not already populated by `source.ip`. - Removes processor explicitly populating `geo.country_name` as it is added by `geoip` processor.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

bugfix Pull request that fixes a bug issue Integration:zscaler_zia Zscaler Internet Access Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations]

3 participants

@kcreddy @elasticmachine @chemamartinez