nico

Emojis not escaped in inline code blocks

5

`:helicopter:` should not be translated to 🚁.

Extending data dictionaries?

3

There is an extension mechanism for entities, in order not to duplicate field definitions. It would be good to have such a mechanism for data dictionaries as well. For example,...

Entities for scheduled tasks and services?

2

There are no entities defined in the CDM for scheduled tasks or services as far as I can see. While scheduled tasks is a Windows name, they are generic concepts,...

Windows Security logs, fields mismatch for Object Access

1

Hello, the In some Windows Security logs concerning Object Access, the field (e.g. 4656) AccessList is [translated](https://github.com/OTRF/OSSEM/blob/master/source/data_dictionaries/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4656_v1.yml#L70) into `user_privilege_list` while for [others](https://github.com/OTRF/OSSEM/blob/master/source/data_dictionaries/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4691.yml#L46) it is `object_access_list`. Which one is right? PS:...

Windows Security logs, Computer Account Management auditing fields mismatch between events

1

In the Data Dictionary of Windows Security Event 4741, the [field](https://github.com/OTRF/OSSEM/blob/master/source/data_dictionaries/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4741.yml#L190) `UserParameters` is translated into `target_host_user_paremeters` (with a typo), and UserAccountControl into `target_host_user_account_control`. For Event 4742, the corresponding fields are...

The [host] is always removed in every case, making it impossible to test filters that modify it

4

The `host` field is always removed, I believe [there](https://github.com/magnusbaeck/logstash-filter-verifier/blob/master/internal/daemon/session/files.go#L48), which makes it impossible to test filters that modify this field. Example config: ```logstash input { stdin { id => json_lines...

JSON parsing error when there is a single quote in a YAML multiline string

5

### Description We make heavy use of the YAML multiline string format for the input of tests, to be able to define them in readable JSON. However, with LFV2 (and...

Test single filter in daemon mode?

2

### Description With LFV 1.x and with LFV 2.0 in standalone mode, it's possible to test a single filter, without input or output. If I have those files: `mutate.conf` ```logstash...

YAML testcase input

2

Is it possible to specify the input of a test case directly in YAML instead of as a string? Basically, write this: ```yaml --- testcases: - input: - field1: value1...

**Logstash information**: Please include the following information: 1. Logstash version *7.13* 2. Logstash installation source *Official docker* **JVM** (e.g. `java -version`): Bundled **OS version** (`uname -a` if on a Unix-like...