beats icon indicating copy to clipboard operation
beats copied to clipboard
verified publisher icon elastic

Filebeat ingest processor for CloudTrail maps previous digest object

Open sypste opened this issue 3 years ago • 2 comments

Please post all questions and issues on https://discuss.elastic.co/c/beats before opening a Github Issue. Your questions will reach a wider audience there, and if we confirm that there is a bug, then you can open a new issue.

For security vulnerabilities please only send reports to [email protected]. See https://www.elastic.co/community/security for more information.

Please include configurations and logs if available.

For confirmed bugs, please report:

  • Version: 7.17.x+
  • Operating System: any
  • Discuss Forum URL: https://discuss.elastic.co/t/question-about-cloudtrail-ingest-processor-for-file-path/311405
  • Steps to Reproduce:

We came across a confounding mapping for the CloudTrail processor in Filebeat, where a CloudTrail digest file is mapped to ECS. A CloudTrail digest file contains both a S3 reference to itself as well as to the previous digest file (see docs). The Filebeat processor maps the previous digest file to file.path instead of the current one, which is sometimes null (see configuration for the ingest pipeline). This behavior is unexpected.

sypste avatar Aug 04 '22 15:08 sypste

@leehinman Hope you don't mind if I tag you directly, since you implemented the feature.

sypste avatar Aug 08 '22 07:08 sypste

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

elasticmachine avatar Aug 11 '22 20:08 elasticmachine