Skip to content

[Cloudflare Logpush] map cloudflare_logpush.http_request.client.ssl.cipher to tls.cipher #13885

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
May 14, 2025
Merged

[Cloudflare Logpush] map cloudflare_logpush.http_request.client.ssl.cipher to tls.cipher #13885

merged 4 commits into from
May 14, 2025

Conversation

@moxarth-rathod
Copy link
Contributor

@moxarth-rathod moxarth-rathod commented May 12, 2025
edited
Loading

Proposed commit message

cloudflare_logpush: map cloudflare_logpush.http_request.client.ssl.cipher to tls.cipher Map cloudflare_logpush.http_request.client.ssl.cipher to the tls.cipher in order to pick up its search behavior without risking potential breaking behavior.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

How to test this PR locally

Clone integrations repo.
Install elastic package locally.
Start elastic stack using elastic-package.
Move to integrations/packages/cloudflare_logpush directory.
Run the following command to run tests.

elastic-package test

Related issues
@moxarth-rathod moxarth-rathod self-assigned this May 12, 2025
@moxarth-rathod moxarth-rathod requested a review from a team as a code owner May 12, 2025 15:11
@moxarth-rathod moxarth-rathod added Integration:cloudflare_logpush Cloudflare Logpush bugfix Pull request that fixes a bug issue Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] Team:Sit-Crest Crest developers on the Security Integrations team [elastic/sit-crest-contractors] labels May 12, 2025
@elasticmachine
Copy link

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)
@elastic-vault-github-plugin-prod
Copy link

elastic-vault-github-plugin-prod bot commented May 12, 2025
edited
Loading

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport
efd6
efd6 reviewed May 12, 2025
View reviewed changes
Copy link
Contributor

@efd6 efd6 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I can see the justification for this, but I do not agree that this is a fix; at best it is an enhancement since it is enabling something that could not be done in the past, but it is not a conflict with the ECS since the types under custom field hierachies are not constrained by the ECS (arguably), and the field here is not mentioned in the ECS (ssl v tls, yes, tenuous, but valid).

I think this needs thought, and the commit message rationale needs to be clarified.

/cc @ShourieG @leandrojmp
packages/cloudflare_logpush/changelog.yml Outdated
Comment on lines 4 to 5
- description: Fix the field type of http_request.client.ssl.cipher from text to keyword.
type: bugfix
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I do not believe that this is a fix since I am not convinced that this is a bug. It is unfortunate, but it is not a strict conflict.
@leandrojmp
Copy link
Contributor

I can see the justification for this, but I do not agree that this is a fix; at best it is an enhancement since it is enabling something that could not be done in the past, but it is not a conflict with the ECS since the types under custom field hierachies are not constrained by the ECS (arguably), and the field here is not mentioned in the ECS (ssl v tls, yes, tenuous, but valid).

I think this needs thought, and the commit message rationale needs to be clarified.

/cc @ShourieG @leandrojmp

I think this can be considered an enhancement, I mentioned on the Issue that I've opened that the current mapping is wrong because the value for the field cloudflare_logpush.http_request.client.ssl.cipher is a keyword and the equivalent ECS field would be tls.cipher, but this is indeed not a conflict.

Some values for this field are:

  • AEAD-AES256-GCM-SHA384
  • ECDHE-ECDSA-AES128-GCM-SHA256
  • NONE

Which is a string that indicates the cipher used during the connection, the same description for ecs tls.cipher field.

A future improvement could be just renaming this into tls.cipher to make it easier to correlate with other data sources, this is something that we are doing using the custom ingest pipeline.
@efd6
Copy link
Contributor

efd6 commented May 13, 2025

@leandrojmp

Which is a string that indicates the cipher used during the connection, the same description for ecs tls.cipher field.

Oh, I absolutely agree that it is intended to be semantically the same, but ECS legalism…

A future improvement could be just renaming this into tls.cipher to make it easier to correlate with other data sources, this is something that we are doing using the custom ingest pipeline.

TBH, this would be my preferred solution — copying the value over to tls.cipher — but I was concerned that the semantics of client might be lost in the move to that field where client is not indicated in the field name. As a user, do you think that would an issue?
@leandrojmp
Copy link
Contributor

leandrojmp commented May 13, 2025
edited
Loading

TBH, this would be my preferred solution — copying the value over to tls.cipher — but I was concerned that the semantics of client might be lost in the move to that field where client is not indicated in the field name. As a user, do you think that would an issue?

I don't think this would be an issue on this dataset, also there are other tls.* fields being created by the ingest pipeline from some client fields already.

 - grok: field: cloudflare_logpush.http_request.client.ssl.protocol patterns: - "^%{DATA:tls.version_protocol}v%{DATA:tls.version}$" ignore_missing: true ignore_failure: true - lowercase: field: tls.version_protocol ignore_missing: true

So creating tls.cipher from cloudflare_logpush.http_request.client.ssl.cipher would be aligned with the other fields.
@efd6
Copy link
Contributor

efd6 commented May 13, 2025

@leandrojmp, thanks. Let's wait for @ShourieG, but @moxarth-rathod I think we may want to do that rather than what is here now.
@moxarth-rathod @efd6
Add PR link in the changelog
03f4ef9 
Co-authored-by: Dan Kortschak <dan.kortschak@elastic.co>
@moxarth-rathod
Copy link
Contributor Author

@leandrojmp, thanks. Let's wait for @ShourieG, but @moxarth-rathod I think we may want to do that rather than what is here now.

Got it @efd6. I'll update this as per the suggestions.
@moxarth-rathod moxarth-rathod requested a review from efd6 May 13, 2025 07:48
@ShourieG
Copy link
Contributor

@moxarth-rathod LGTM from my end, but wait for Dan's approval before merging.
efd6
efd6 reviewed May 13, 2025
View reviewed changes
Copy link
Contributor

@efd6 efd6 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please also update the proposed commit message to match the behaviour here.

cloudflare_logpush: map cloudflare_logpush.http_request.client.ssl.cipher to tls.cipher Map cloudflare_logpush.http_request.client.ssl.cipher to the tls.cipher in order to pick up its search behavior without risking potential breaking behavior.
@moxarth-rathod @efd6
Update the changelog description
dab25a5 
Co-authored-by: Dan Kortschak <dan.kortschak@elastic.co>
@moxarth-rathod moxarth-rathod requested a review from efd6 May 14, 2025 05:14
@elastic-sonarqube
Copy link

Quality Gate passed Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
92.3% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube
@elasticmachine
Copy link

💚 Build Succeeded

History

cc @moxarth-rathod
@efd6 efd6 changed the title [Cloudflare Logpush] Fix field type from text to keyword for process fields [Cloudflare Logpush] map cloudflare_logpush.http_request.client.ssl.cipher to tls.cipher May 14, 2025
@efd6 efd6 merged commit 71f1e85 into elastic:main May 14, 2025
7 checks passed
@elastic-vault-github-plugin-prod
Copy link

Package cloudflare_logpush - 1.38.0 containing this change is available at https://epr.elastic.co/package/cloudflare_logpush/1.38.0/
anupratharamachandran pushed a commit to anupratharamachandran/integrations that referenced this pull request Jun 2, 2025
@moxarth-rathod @anupratharamachandran
[Cloudflare Logpush] map cloudflare_logpush.http_request.client.ssl.c…
96021e5 
…ipher to tls.cipher (elastic#13885) Map cloudflare_logpush.http_request.client.ssl.cipher to the tls.cipher in order to pick up its search behavior without risking potential breaking behavior.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

bugfix Pull request that fixes a bug issue Integration:cloudflare_logpush Cloudflare Logpush Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] Team:Sit-Crest Crest developers on the Security Integrations team [elastic/sit-crest-contractors]

5 participants

@moxarth-rathod @elasticmachine @leandrojmp @efd6 @ShourieG