Skip to content

[Cloudflare Logpush] Add parse for missing fields #13380

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 8 commits into from
Apr 7, 2025
Merged

[Cloudflare Logpush] Add parse for missing fields #13380

merged 8 commits into from
Apr 7, 2025

Conversation

@leandrojmp
Copy link
Contributor

@leandrojmp leandrojmp commented Apr 2, 2025
edited
Loading

  • Enhancement

Proposed commit message

This pull request adds parse for fields present in the source document from Cloudflare Logpush for the Firewall Events, those fiealds are currently being dropped.

This adds parse for the Description field, which as the description of the rule that triggered, the field json.Description is renamed to cloudflare_logpush.firewall_event.rule.description and the ecs field rule.description is also created.

The field cloudflare_logpush.firewall_event.rule.description is removed if the user does not want to have duplicated fields.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

Related issues
@andrewkroh andrewkroh added the Integration:cloudflare_logpush Cloudflare Logpush label Apr 2, 2025
@leandrojmp leandrojmp marked this pull request as ready for review April 4, 2025 18:59
@leandrojmp leandrojmp requested a review from a team as a code owner April 4, 2025 18:59
@andrewkroh andrewkroh added the Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] label Apr 4, 2025
@elasticmachine
Copy link

elasticmachine commented Apr 4, 2025

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)
@efd6 efd6 added the enhancement New feature or request label Apr 6, 2025
@efd6
Copy link
Contributor

efd6 commented Apr 6, 2025

/test
efd6
efd6 reviewed Apr 6, 2025
View reviewed changes
Copy link
Contributor

@efd6 efd6 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This will need to have an update to the fields definitions and the readme.
@leandrojmp
Copy link
Contributor Author

leandrojmp commented Apr 6, 2025

This will need to have an update to the fields definitions and the readme.

Done!
@efd6
Copy link
Contributor

efd6 commented Apr 7, 2025

/test
@efd6
Copy link
Contributor

efd6 commented Apr 7, 2025

Please run elastic-package build.
@efd6
Copy link
Contributor

efd6 commented Apr 7, 2025

/test
@efd6
Copy link
Contributor

efd6 commented Apr 7, 2025

The pipeline test expectations are not matching.
@leandrojmp
Copy link
Contributor Author

leandrojmp commented Apr 7, 2025
edited
Loading

@efd6 how I can fix this? I have no idea what it is wrong.

I added a new event in the test-pipeline-firewall-event.log file and the equivalent expected event test-pipeline-firewall-event.log-expected.json with the new fields that would be generated.

Not sure exactly what it is complaining.
@efd6
Copy link
Contributor

efd6 commented Apr 7, 2025

I'll take a look in a moment.
@efd6
Copy link
Contributor

efd6 commented Apr 7, 2025
edited
Loading

Running elastic-package test pipeline -g results in this diff.

diff --git a/packages/cloudflare_logpush/data_stream/firewall_event/_dev/test/pipeline/test-pipeline-firewall-event.log-expected.json b/packages/cloudflare_logpush/data_stream/firewall_event/_dev/test/pipeline/test-pipeline-firewall-event.log-expected.json index 2ba4ed2d5c..1d3463d207 100644 --- a/packages/cloudflare_logpush/data_stream/firewall_event/_dev/test/pipeline/test-pipeline-firewall-event.log-expected.json +++ b/packages/cloudflare_logpush/data_stream/firewall_event/_dev/test/pipeline/test-pipeline-firewall-event.log-expected.json @@ -566,8 +566,8 @@ "id": "713d477539b55c29" }, "rule": { - "id": "7dc666e026974dab84884c73b3e2afe1", - "description": "Rule Description" + "description": "Rule Description", + "id": "7dc666e026974dab84884c73b3e2afe1" }, "source": "firewallrules", "timestamp": "2022-05-31T05:23:43.000Z" @@ -583,7 +583,7 @@ ], "id": "713d477539b55c29", "kind": "event", - "original": "{\"ClientRequestScheme\":\"https\",\"MatchIndex\":1,\"ClientRefererHost\":\"abc.example.com\",\"Source\":\"firewallrules\",\"ClientRequestUserAgent\":\"Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.64 Mobile Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)\",\"ClientRefererPath\":\"/abc/checkout\",\"Metadata\":{\"filter\":\"1ced07e066a34abf8b14f2a99593bc8d\",\"type\":\"customer\"},\"EdgeResponseStatus\":403,\"ClientRequestProtocol\":\"HTTP/1.1\",\"OriginatorRayID\":\"00\",\"RayID\":\"713d477539b55c29\",\"ClientRequestMethod\":\"GET\",\"ClientIP\":\"175.16.199.0\",\"ClientRequestPath\":\"/abc/checkout\",\"Action\":\"block\",\"Kind\":\"firewall\",\"RuleID\":\"7dc666e026974dab84884c73b3e2afe1\",\"Description\":\"Rule Description\",\"ClientIPClass\":\"searchEngine\",\"ClientASNDescription\":\"CLOUDFLARENET\",\"ClientCountry\":\"us\",\"ClientRefererQuery\":\"?sourcerer=(default%3A(id%3A!n%2CselectedPatterns%3A!(eqldemo%2C%27logs-endpoint.*-eqldemo%27%2C%27logs-system.*-eqldemo%27%2C%27logs-windows.*-eqldemo%27%2Cmetricseqldemo)))&timerange=(global%3A(linkTo%3A!()%2Ctimerange%3A(from%3A%272022-04-05T00%3A00%3A01.199Z%27%2CfromStr%3Anow-24h%2Ckind%3Arelative%2Cto%3A%272022-04-06T00%3A00%3A01.200Z%27%2CtoStr%3Anow))%2Ctimeline%3A(linkTo%3A!()%2Ctimerange%3A(from%3A%272022-04-05T00%3A00%3A01.201Z%27%2CfromStr%3Anow-24h%2Ckind%3Arelative%2Cto%3A%272022-04-06T00%3A00%3A01.202Z%27%2CtoStr%3Anow)))\",\"ClientRequestQuery\":\"?sourcerer=(default%3A(id%3A!n%2CselectedPatterns%3A!(eqldemo%2C%27logs-endpoint.*-eqldemo%27%2C%27logs-system.*-eqldemo%27%2C%27logs-windows.*-eqldemo%27%2Cmetricseqldemo)))&timerange=(global%3A(linkTo%3A!()%2Ctimerange%3A(from%3A%272022-04-05T00%3A00%3A01.199Z%27%2CfromStr%3Anow-24h%2Ckind%3Arelative%2Cto%3A%272022-04-06T00%3A00%3A01.200Z%27%2CtoStr%3Anow))%2Ctimeline%3A(linkTo%3A!()%2Ctimerange%3A(from%3A%272022-04-05T00%3A00%3A01.201Z%27%2CfromStr%3Anow-24h%2Ckind%3Arelative%2Cto%3A%272022-04-06T00%3A00%3A01.202Z%27%2CtoStr%3Anow)))\",\"OriginResponseStatus\":0,\"EdgeColoCode\":\"IAD\",\"ClientRefererScheme\":\"referer URL scheme\",\"Datetime\":\"1653974623000000000\",\"ClientRequestHost\":\"xyz.example.com\",\"ClientASN\":15169}", + "original": "{\"ClientRequestScheme\":\"https\",\"MatchIndex\":1,\"ClientRefererHost\":\"abc.example.com\",\"Source\":\"firewallrules\",\"ClientRequestUserAgent\":\"Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.64 Mobile Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)\",\"ClientRefererPath\":\"/abc/checkout\",\"Metadata\":{\"filter\":\"1ced07e066a34abf8b14f2a99593bc8d\",\"type\":\"customer\"},\"EdgeResponseStatus\":403,\"ClientRequestProtocol\":\"HTTP/1.1\",\"OriginatorRayID\":\"00\",\"RayID\":\"713d477539b55c29\",\"ClientRequestMethod\":\"GET\",\"ClientIP\":\"175.16.199.0\",\"ClientRequestPath\":\"/abc/checkout\",\"Action\":\"block\",\"Kind\":\"firewall\",\"RuleID\":\"7dc666e026974dab84884c73b3e2afe1\", \"Description\":\"Rule Description\",\"ClientIPClass\":\"searchEngine\",\"ClientASNDescription\":\"CLOUDFLARENET\",\"ClientCountry\":\"us\",\"ClientRefererQuery\":\"?sourcerer=(default%3A(id%3A!n%2CselectedPatterns%3A!(eqldemo%2C%27logs-endpoint.*-eqldemo%27%2C%27logs-system.*-eqldemo%27%2C%27logs-windows.*-eqldemo%27%2Cmetricseqldemo)))&timerange=(global%3A(linkTo%3A!()%2Ctimerange%3A(from%3A%272022-04-05T00%3A00%3A01.199Z%27%2CfromStr%3Anow-24h%2Ckind%3Arelative%2Cto%3A%272022-04-06T00%3A00%3A01.200Z%27%2CtoStr%3Anow))%2Ctimeline%3A(linkTo%3A!()%2Ctimerange%3A(from%3A%272022-04-05T00%3A00%3A01.201Z%27%2CfromStr%3Anow-24h%2Ckind%3Arelative%2Cto%3A%272022-04-06T00%3A00%3A01.202Z%27%2CtoStr%3Anow)))\",\"ClientRequestQuery\":\"?sourcerer=(default%3A(id%3A!n%2CselectedPatterns%3A!(eqldemo%2C%27logs-endpoint.*-eqldemo%27%2C%27logs-system.*-eqldemo%27%2C%27logs-windows.*-eqldemo%27%2Cmetricseqldemo)))&timerange=(global%3A(linkTo%3A!()%2Ctimerange%3A(from%3A%272022-04-05T00%3A00%3A01.199Z%27%2CfromStr%3Anow-24h%2Ckind%3Arelative%2Cto%3A%272022-04-06T00%3A00%3A01.200Z%27%2CtoStr%3Anow))%2Ctimeline%3A(linkTo%3A!()%2Ctimerange%3A(from%3A%272022-04-05T00%3A00%3A01.201Z%27%2CfromStr%3Anow-24h%2Ckind%3Arelative%2Cto%3A%272022-04-06T00%3A00%3A01.202Z%27%2CtoStr%3Anow)))\",\"OriginResponseStatus\":0,\"EdgeColoCode\":\"IAD\",\"ClientRefererScheme\":\"referer URL scheme\",\"Datetime\":\"1653974623000000000\",\"ClientRequestHost\":\"xyz.example.com\",\"ClientASN\":15169}", "type": [ "info" ] @@ -610,8 +610,8 @@ ] }, "rule": { - "id": "7dc666e026974dab84884c73b3e2afe1", - "description": "Rule Description" + "description": "Rule Description", + "id": "7dc666e026974dab84884c73b3e2afe1" }, "source": { "as": {

It looks like the test expectations were hand edited. As above, it's best to let the machine do that.
@leandrojmp
Copy link
Contributor Author

leandrojmp commented Apr 7, 2025

@efd6 thanks!

I've just run elastic-package test pipeline -g to generated the correct expected output.
@efd6
Copy link
Contributor

efd6 commented Apr 7, 2025

/test
@elastic-vault-github-plugin-prod
Copy link

elastic-vault-github-plugin-prod bot commented Apr 7, 2025

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport
@elastic-sonarqube
Copy link

elastic-sonarqube bot commented Apr 7, 2025

Quality Gate passed Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
92.3% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube
@elasticmachine
Copy link

elasticmachine commented Apr 7, 2025

💚 Build Succeeded

History
@efd6 efd6 merged commit e6c40fa into elastic:main Apr 7, 2025
7 checks passed
@elastic-vault-github-plugin-prod
Copy link

elastic-vault-github-plugin-prod bot commented Apr 7, 2025

Package cloudflare_logpush - 1.37.0 containing this change is available at https://epr.elastic.co/package/cloudflare_logpush/1.37.0/
@leandrojmp leandrojmp deleted the add-new-fields-cloudflare-logpush-firewall-events branch April 7, 2025 12:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

enhancement New feature or request Integration:cloudflare_logpush Cloudflare Logpush Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations]

4 participants

@leandrojmp @elasticmachine @efd6 @andrewkroh