From fe6a6181a723ac06a3d6b99318168b7957810e00 Mon Sep 17 00:00:00 2001 From: Dan Kortschak Date: Thu, 3 Oct 2024 06:04:46 +0930 Subject: [PATCH] sdd_all: use triple-brace templating (#11286) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The mustache templating system used by ingest pipelines has two levels of escaping available, not escaped (triple stache) and HTML escaped (double stache) — see man mustache[1] under "tag types: variables". This can lead to data corruption, particularly in cases where an operating system has chosen to use a character requiring escaping in its path syntax. [1]http://mustache.github.io/mustache.5.html [git-generate] for f in $( ( for p in $( yq 'select(.owner.github == "elastic/sec-deployment-and-devices")|.name' packages/**/manifest.yml \ | grep -v -- '---' ); do rg -l -g '*.yml' ": ('\{\{[^{][ .a-zA-Z0-9_]*[^}]}}'|\"\{\{[^{][ .a-zA-Z0-9_]*[^}]}}\")" packages/$p done )|grep "elasticsearch/ingest_pipeline"|sort|uniq ); do sed -i -r "s/: (['\"])\{\{([^{][ .a-zA-Z0-9_]*[^}])}}['\"]/: \1{{{\2}}}\1/g" $f done for p in $(git diff --name-only HEAD~1|cut -d/ -f1,2|sort|uniq); do ( cd $p elastic-package test pipeline -g elastic-package changelog add \ --description "Use triple-brace Mustache templating when referencing variables in ingest pipelines." \ --type bugfix \ --next patch \ --link https://github.com/elastic/integrations/pull/11286 )>/dev/null 2>&1 done --- packages/bluecoat/changelog.yml | 5 ++ .../elasticsearch/ingest_pipeline/default.yml | 2 +- packages/bluecoat/manifest.yml | 2 +- packages/cef/changelog.yml | 5 ++ .../ingest_pipeline/cp-pipeline.yml | 4 +- .../elasticsearch/ingest_pipeline/default.yml | 20 +++---- .../ingest_pipeline/fp-pipeline.yml | 8 +-- packages/cef/manifest.yml | 2 +- packages/checkpoint/changelog.yml | 5 ++ ...est-checkpoint-with-time.log-expected.json | 4 +- .../elasticsearch/ingest_pipeline/default.yml | 26 +++++----- packages/checkpoint/manifest.yml | 2 +- packages/cisco_ise/changelog.yml | 5 ++ .../elasticsearch/ingest_pipeline/default.yml | 2 +- ...e_administrative_and_operational_audit.yml | 10 ++-- .../pipeline_policy_diagnostics.yml | 2 +- ..._posture_and_client_provisioning_audit.yml | 2 +- .../pipeline_radius_accounting.yml | 4 +- packages/cisco_ise/manifest.yml | 2 +- packages/citrix_waf/changelog.yml | 5 ++ .../elasticsearch/ingest_pipeline/default.yml | 2 +- packages/citrix_waf/manifest.yml | 2 +- packages/fortinet_forticlient/changelog.yml | 5 ++ .../elasticsearch/ingest_pipeline/default.yml | 2 +- packages/fortinet_forticlient/manifest.yml | 2 +- packages/fortinet_fortiedr/changelog.yml | 5 ++ .../elasticsearch/ingest_pipeline/default.yml | 2 +- packages/fortinet_fortiedr/manifest.yml | 2 +- packages/fortinet_fortigate/changelog.yml | 5 ++ .../elasticsearch/ingest_pipeline/login.yml | 10 ++-- packages/fortinet_fortigate/manifest.yml | 2 +- packages/juniper_junos/changelog.yml | 5 ++ .../elasticsearch/ingest_pipeline/default.yml | 2 +- packages/juniper_junos/manifest.yml | 2 +- packages/juniper_netscreen/changelog.yml | 5 ++ .../elasticsearch/ingest_pipeline/default.yml | 2 +- packages/juniper_netscreen/manifest.yml | 2 +- packages/juniper_srx/changelog.yml | 5 ++ .../log/elasticsearch/ingest_pipeline/atp.yml | 20 +++---- .../elasticsearch/ingest_pipeline/default.yml | 20 +++---- .../elasticsearch/ingest_pipeline/flow.yml | 20 +++---- .../log/elasticsearch/ingest_pipeline/idp.yml | 20 +++---- .../log/elasticsearch/ingest_pipeline/ids.yml | 20 +++---- .../ingest_pipeline/secintel.yml | 20 +++---- .../elasticsearch/ingest_pipeline/system.yml | 24 ++++----- .../log/elasticsearch/ingest_pipeline/utm.yml | 20 +++---- packages/juniper_srx/manifest.yml | 2 +- packages/modsecurity/changelog.yml | 5 ++ .../ingest_pipeline/apache-modsec.yml | 2 +- .../ingest_pipeline/nginx-modsec.yml | 2 +- packages/modsecurity/manifest.yml | 2 +- packages/netflow/changelog.yml | 5 ++ .../elasticsearch/ingest_pipeline/default.yml | 4 +- packages/netflow/manifest.yml | 2 +- packages/netscout/changelog.yml | 5 ++ .../elasticsearch/ingest_pipeline/default.yml | 2 +- packages/netscout/manifest.yml | 2 +- packages/osquery/changelog.yml | 5 ++ .../elasticsearch/ingest_pipeline/default.yml | 36 ++++++------- packages/osquery/manifest.yml | 2 +- packages/pfsense/changelog.yml | 5 ++ .../elasticsearch/ingest_pipeline/default.yml | 14 ++--- .../elasticsearch/ingest_pipeline/dhcp.yml | 2 +- .../elasticsearch/ingest_pipeline/haproxy.yml | 2 +- .../elasticsearch/ingest_pipeline/ipsec.yml | 4 +- .../elasticsearch/ingest_pipeline/openvpn.yml | 2 +- packages/pfsense/manifest.yml | 2 +- packages/qnap_nas/changelog.yml | 5 ++ .../pipeline/test-access.log-expected.json | 40 +++++++------- .../pipeline/test-event.log-expected.json | 52 +++++++++---------- .../elasticsearch/ingest_pipeline/default.yml | 10 ++-- packages/qnap_nas/manifest.yml | 2 +- packages/radware/changelog.yml | 5 ++ .../elasticsearch/ingest_pipeline/default.yml | 2 +- packages/radware/manifest.yml | 2 +- packages/snort/changelog.yml | 5 ++ .../pipeline/test-log-csv.log-expected.json | 16 +++--- .../pipeline/test-log-fast.log-expected.json | 20 +++---- .../pipeline/test-log-full.log-expected.json | 14 ++--- .../pipeline/test-log-json.log-expected.json | 10 ++-- .../test-log-syslog.log-expected.json | 6 +-- .../elasticsearch/ingest_pipeline/default.yml | 8 +-- packages/snort/manifest.yml | 2 +- packages/sophos/changelog.yml | 5 ++ .../ingest_pipeline/antispam.yml | 2 +- .../ingest_pipeline/antivirus.yml | 2 +- .../xg/elasticsearch/ingest_pipeline/atp.yml | 2 +- .../elasticsearch/ingest_pipeline/cfilter.yml | 2 +- .../elasticsearch/ingest_pipeline/default.yml | 2 +- .../elasticsearch/ingest_pipeline/event.yml | 4 +- .../ingest_pipeline/firewall.yml | 2 +- .../xg/elasticsearch/ingest_pipeline/idp.yml | 2 +- .../ingest_pipeline/sandstorm.yml | 2 +- packages/sophos/manifest.yml | 2 +- packages/suricata/changelog.yml | 5 ++ .../elasticsearch/ingest_pipeline/default.yml | 4 +- .../eve/elasticsearch/ingest_pipeline/tls.yml | 2 +- packages/suricata/manifest.yml | 2 +- 98 files changed, 397 insertions(+), 292 deletions(-) diff --git a/packages/bluecoat/changelog.yml b/packages/bluecoat/changelog.yml index 809375340e5..b494f9bf9dd 100644 --- a/packages/bluecoat/changelog.yml +++ b/packages/bluecoat/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "0.17.3" + changes: + - description: Use triple-brace Mustache templating when referencing variables in ingest pipelines. + type: bugfix + link: https://github.com/elastic/integrations/pull/11286 - version: "0.17.2" changes: - description: Changed owners diff --git a/packages/bluecoat/data_stream/director/elasticsearch/ingest_pipeline/default.yml b/packages/bluecoat/data_stream/director/elasticsearch/ingest_pipeline/default.yml index a2cb851fda2..238f9449ff2 100644 --- a/packages/bluecoat/data_stream/director/elasticsearch/ingest_pipeline/default.yml +++ b/packages/bluecoat/data_stream/director/elasticsearch/ingest_pipeline/default.yml @@ -53,7 +53,7 @@ processors: ignore_missing: true - append: field: related.hosts - value: '{{host.name}}' + value: '{{{host.name}}}' allow_duplicates: false if: ctx.host?.name != null && ctx.host?.name != '' - remove: diff --git a/packages/bluecoat/manifest.yml b/packages/bluecoat/manifest.yml index f21dc22a67e..db1db76268f 100644 --- a/packages/bluecoat/manifest.yml +++ b/packages/bluecoat/manifest.yml @@ -1,7 +1,7 @@ format_version: 2.7.0 name: bluecoat title: Blue Coat Director Logs (Deprecated) -version: "0.17.2" +version: "0.17.3" description: Deprecated. Director is no longer supported. categories: ["network", "security", "proxy_security"] type: integration diff --git a/packages/cef/changelog.yml b/packages/cef/changelog.yml index 1303152f2d8..bbd8b7de109 100644 --- a/packages/cef/changelog.yml +++ b/packages/cef/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.17.3" + changes: + - description: Use triple-brace Mustache templating when referencing variables in ingest pipelines. + type: bugfix + link: https://github.com/elastic/integrations/pull/11286 - version: "2.17.2" changes: - description: Make dataset name configurable diff --git a/packages/cef/data_stream/log/elasticsearch/ingest_pipeline/cp-pipeline.yml b/packages/cef/data_stream/log/elasticsearch/ingest_pipeline/cp-pipeline.yml index fda415bf8b2..cfdf9e1c389 100644 --- a/packages/cef/data_stream/log/elasticsearch/ingest_pipeline/cp-pipeline.yml +++ b/packages/cef/data_stream/log/elasticsearch/ingest_pipeline/cp-pipeline.yml @@ -279,8 +279,8 @@ processors: field: _tmp_copy processor: set: - field: '{{_ingest._value.to}}' - value: '{{_ingest._value.value}}' + field: '{{{_ingest._value.to}}}' + value: '{{{_ingest._value.value}}}' - remove: field: _tmp_copy - set: diff --git a/packages/cef/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/cef/data_stream/log/elasticsearch/ingest_pipeline/default.yml index 40c08567d1e..3770561d67f 100644 --- a/packages/cef/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ b/packages/cef/data_stream/log/elasticsearch/ingest_pipeline/default.yml @@ -57,46 +57,46 @@ processors: if: ctx?.cef?.extensions?.fileHash != null && ctx?.cef?.extensions?.fileHash != '' field: related.hash allow_duplicates: false - value: '{{cef.extensions.fileHash}}' + value: '{{{cef.extensions.fileHash}}}' - append: if: ctx?.cef?.extensions?.oldFileHash != null && ctx?.cef?.extensions?.oldFileHash != '' field: related.hash allow_duplicates: false - value: '{{cef.extensions.oldFileHash}}' + value: '{{{cef.extensions.oldFileHash}}}' - append: if: ctx?.destination?.ip != null && ctx?.destination?.ip != '' field: related.ip allow_duplicates: false - value: '{{destination.ip}}' + value: '{{{destination.ip}}}' - append: if: ctx?.destination?.nat?.ip != null && ctx?.destination?.nat?.ip != '' field: related.ip allow_duplicates: false - value: '{{destination.nat.ip}}' + value: '{{{destination.nat.ip}}}' - append: if: ctx?.source?.ip != null && ctx?.source?.ip != '' field: related.ip allow_duplicates: false - value: '{{source.ip}}' + value: '{{{source.ip}}}' - append: if: ctx?.source?.nat?.ip != null && ctx?.source?.nat?.ip != '' field: related.ip allow_duplicates: false - value: '{{source.nat.ip}}' + value: '{{{source.nat.ip}}}' - append: if: ctx?.destination?.user?.name != null field: related.user - value: '{{destination.user.name}}' + value: '{{{destination.user.name}}}' - append: if: ctx?.source?.user?.name != null && ctx?.source?.user?.name != '' field: related.user allow_duplicates: false - value: '{{source.user.name}}' + value: '{{{source.user.name}}}' - append: if: ctx?.observer?.hostname != null && ctx?.observer?.hostname != '' field: related.hosts allow_duplicates: false - value: '{{observer.hostname}}' + value: '{{{observer.hostname}}}' - pipeline: if: ctx.cef?.device?.vendor == 'FORCEPOINT' name: '{{ IngestPipeline "fp-pipeline" }}' @@ -173,7 +173,7 @@ processors: if: ctx._tmp?.observer != null && ctx.observer?.ip == null field: observer.ip tag: observer append - value: '{{_tmp.observer}}' + value: '{{{_tmp.observer}}}' # Set ECS event outcome from ArcSight outcomes - set: if: ctx.cef?.extensions?.categoryOutcome == "/Success" diff --git a/packages/cef/data_stream/log/elasticsearch/ingest_pipeline/fp-pipeline.yml b/packages/cef/data_stream/log/elasticsearch/ingest_pipeline/fp-pipeline.yml index ac4d7fa27d0..7e51daff711 100644 --- a/packages/cef/data_stream/log/elasticsearch/ingest_pipeline/fp-pipeline.yml +++ b/packages/cef/data_stream/log/elasticsearch/ingest_pipeline/fp-pipeline.yml @@ -5,22 +5,22 @@ processors: - set: field: rule.id ignore_empty_value: true - value: '{{cef.extensions.deviceCustomString1}}' + value: '{{{cef.extensions.deviceCustomString1}}}' # cs2 is natRuleID - set: field: rule.id ignore_empty_value: true - value: '{{cef.extensions.deviceCustomString2}}' + value: '{{{cef.extensions.deviceCustomString2}}}' # cs3 is VulnerabilityReference - set: field: vulnerability.reference ignore_empty_value: true - value: '{{cef.extensions.deviceCustomString3}}' + value: '{{{cef.extensions.deviceCustomString3}}}' # cs4 is virusID - set: field: cef.forcepoint.virus_id ignore_empty_value: true - value: '{{cef.extensions.deviceCustomString4}}' + value: '{{{cef.extensions.deviceCustomString4}}}' on_failure: - append: field: error.message diff --git a/packages/cef/manifest.yml b/packages/cef/manifest.yml index 8d203c45c14..32660a65ccc 100644 --- a/packages/cef/manifest.yml +++ b/packages/cef/manifest.yml @@ -1,6 +1,6 @@ name: cef title: Common Event Format (CEF) -version: "2.17.2" +version: "2.17.3" description: Collect logs from CEF Logs with Elastic Agent. categories: - security diff --git a/packages/checkpoint/changelog.yml b/packages/checkpoint/changelog.yml index 83289c411d5..c5eb23adb5c 100644 --- a/packages/checkpoint/changelog.yml +++ b/packages/checkpoint/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.34.1" + changes: + - description: Use triple-brace Mustache templating when referencing variables in ingest pipelines. + type: bugfix + link: https://github.com/elastic/integrations/pull/11286 - version: "1.34.0" changes: - description: Drop support for EOL OS version R80.X diff --git a/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint-with-time.log-expected.json b/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint-with-time.log-expected.json index 7758593c054..b082dcda739 100644 --- a/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint-with-time.log-expected.json +++ b/packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint-with-time.log-expected.json @@ -208,7 +208,7 @@ "zone": "External" }, "name": "172.16.2.9", - "product": "VPN-1 \\\\u0026 FireWall-1", + "product": "VPN-1 \\u0026 FireWall-1", "type": "firewall", "vendor": "Checkpoint" }, @@ -298,7 +298,7 @@ "zone": "External" }, "name": "172.16.2.9", - "product": "VPN-1 \\\\u0026 FireWall-1", + "product": "VPN-1 \\u0026 FireWall-1", "type": "firewall", "vendor": "Checkpoint" }, diff --git a/packages/checkpoint/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml b/packages/checkpoint/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml index 7bfe5a30417..75ef37fe2fa 100644 --- a/packages/checkpoint/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml +++ b/packages/checkpoint/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml @@ -192,7 +192,7 @@ processors: if: ctx.checkpoint?.type == null - set: field: observer.product - value: "{{checkpoint.product}}" + value: "{{{checkpoint.product}}}" ignore_empty_value: true - rename: field: checkpoint.src @@ -435,37 +435,37 @@ processors: if: ctx.checkpoint?.action == 'Failed Log In' - append: field: related.ip - value: "{{source.ip}}" + value: "{{{source.ip}}}" allow_duplicates: false if: ctx.source?.ip != null - append: field: related.ip - value: "{{source.nat.ip}}" + value: "{{{source.nat.ip}}}" allow_duplicates: false if: ctx.source?.nat?.ip != null - append: field: related.ip - value: "{{destination.ip}}" + value: "{{{destination.ip}}}" allow_duplicates: false if: ctx.destination?.ip != null - append: field: related.ip - value: "{{destination.nat.ip}}" + value: "{{{destination.nat.ip}}}" allow_duplicates: false if: ctx.destination?.nat?.ip != null - append: field: related.hash - value: "{{checkpoint.file_md5}}" + value: "{{{checkpoint.file_md5}}}" allow_duplicates: false if: ctx.checkpoint?.file_md5 != null - append: field: related.hash - value: "{{checkpoint.file_sha1}}" + value: "{{{checkpoint.file_sha1}}}" allow_duplicates: false if: ctx.checkpoint?.file_sha1 != null - append: field: related.hash - value: "{{checkpoint.file_sha256}}" + value: "{{{checkpoint.file_sha256}}}" allow_duplicates: false if: ctx.checkpoint?.file_sha256 != null - rename: @@ -1097,22 +1097,22 @@ processors: if: ctx.checkpoint?.sys_message != null - append: field: related.user - value: "{{checkpoint.user}}" + value: "{{{checkpoint.user}}}" allow_duplicates: false if: ctx.checkpoint?.user != null - append: field: related.user - value: "{{checkpoint.administrator}}" + value: "{{{checkpoint.administrator}}}" allow_duplicates: false if: ctx.checkpoint?.administrator != null - append: field: related.user - value: "{{checkpoint.src_user_name}}" + value: "{{{checkpoint.src_user_name}}}" allow_duplicates: false if: ctx.checkpoint?.src_user_name != null - append: field: related.user - value: "{{checkpoint.dst_user_name}}" + value: "{{{checkpoint.dst_user_name}}}" allow_duplicates: false if: ctx.checkpoint?.dst_user_name != null - script: @@ -1303,4 +1303,4 @@ on_failure: value: pipeline_error - append: field: error.message - value: "{{ _ingest.on_failure_message }}" + value: "{{{ _ingest.on_failure_message }}}" diff --git a/packages/checkpoint/manifest.yml b/packages/checkpoint/manifest.yml index 7298ff5bf0b..2b1626bbbef 100644 --- a/packages/checkpoint/manifest.yml +++ b/packages/checkpoint/manifest.yml @@ -1,6 +1,6 @@ name: checkpoint title: Check Point -version: "1.34.0" +version: "1.34.1" description: Collect logs from Check Point with Elastic Agent. type: integration format_version: "3.0.3" diff --git a/packages/cisco_ise/changelog.yml b/packages/cisco_ise/changelog.yml index 6a71e8d02c5..e4ebfdc7551 100644 --- a/packages/cisco_ise/changelog.yml +++ b/packages/cisco_ise/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.23.1" + changes: + - description: Use triple-brace Mustache templating when referencing variables in ingest pipelines. + type: bugfix + link: https://github.com/elastic/integrations/pull/11286 - version: "1.23.0" changes: - description: "Allow @custom pipeline access to event.original without setting preserve_original_event." diff --git a/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/default.yml index 1b9462e9e6a..a75b0d97c56 100644 --- a/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/default.yml @@ -158,7 +158,7 @@ processors: on_failure: - append: field: error.message - value: "{{ _ingest.on_failure_message }}" + value: "{{{ _ingest.on_failure_message }}}" - remove: field: cisco_ise.log.log_details.ConfigVersionId ignore_missing: true diff --git a/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_administrative_and_operational_audit.yml b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_administrative_and_operational_audit.yml index 81f2c6feaa5..db7878fc279 100644 --- a/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_administrative_and_operational_audit.yml +++ b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_administrative_and_operational_audit.yml @@ -348,7 +348,7 @@ processors: on_failure: - append: field: error.message - value: "{{ _ingest.on_failure_message }}" + value: "{{{ _ingest.on_failure_message }}}" - remove: field: cisco_ise.log.log_details.DestinationPort ignore_missing: true @@ -365,7 +365,7 @@ processors: on_failure: - append: field: error.message - value: "{{ _ingest.on_failure_message }}" + value: "{{{ _ingest.on_failure_message }}}" - remove: field: cisco_ise.log.log_details.FailureFlag ignore_missing: true @@ -423,7 +423,7 @@ processors: on_failure: - append: field: error.message - value: "{{ _ingest.on_failure_message }}" + value: "{{{ _ingest.on_failure_message }}}" - remove: field: cisco_ise.log.log_details.FeedServiceQueryToTime ignore_missing: true @@ -436,7 +436,7 @@ processors: on_failure: - append: field: error.message - value: "{{ _ingest.on_failure_message }}" + value: "{{{ _ingest.on_failure_message }}}" - remove: field: cisco_ise.log.log_details.FeedServiceQueryFromTime ignore_missing: true @@ -512,7 +512,7 @@ processors: on_failure: - append: field: error.message - value: "{{ _ingest.on_failure_message }}" + value: "{{{ _ingest.on_failure_message }}}" - remove: field: cisco_ise.log.log_details.ResponseTime ignore_missing: true diff --git a/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_policy_diagnostics.yml b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_policy_diagnostics.yml index 58f1c6f6e92..0ee3b3374ef 100644 --- a/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_policy_diagnostics.yml +++ b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_policy_diagnostics.yml @@ -100,7 +100,7 @@ processors: on_failure: - append: field: error.message - value: "{{ _ingest.on_failure_message }}" + value: "{{{ _ingest.on_failure_message }}}" - remove: field: cisco_ise.log.log_details.RequestReceivedTime ignore_missing: true diff --git a/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_posture_and_client_provisioning_audit.yml b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_posture_and_client_provisioning_audit.yml index 38a740a9f56..f6d5ef167f3 100644 --- a/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_posture_and_client_provisioning_audit.yml +++ b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_posture_and_client_provisioning_audit.yml @@ -50,7 +50,7 @@ processors: ignore_missing: true - append: field: error.message - value: "{{ _ingest.on_failure_message }}" + value: "{{{ _ingest.on_failure_message }}}" - kv: field: cisco_ise.log.log_details_raw target_field: cisco_ise.log.log_details diff --git a/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_radius_accounting.yml b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_radius_accounting.yml index 896478a4c13..787dbf97a89 100644 --- a/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_radius_accounting.yml +++ b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_radius_accounting.yml @@ -52,7 +52,7 @@ processors: ignore_missing: true - append: field: error.message - value: "{{ _ingest.on_failure_message }}" + value: "{{{ _ingest.on_failure_message }}}" - kv: field: cisco_ise.log.log_details_raw target_field: cisco_ise.log.log_details @@ -221,7 +221,7 @@ processors: on_failure: - append: field: error.message - value: "{{ _ingest.on_failure_message }}" + value: "{{{ _ingest.on_failure_message }}}" - remove: field: cisco_ise.log.log_details.Event-Timestamp ignore_missing: true diff --git a/packages/cisco_ise/manifest.yml b/packages/cisco_ise/manifest.yml index f6fd3d5e13f..3d7b1f9d468 100644 --- a/packages/cisco_ise/manifest.yml +++ b/packages/cisco_ise/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.3" name: cisco_ise title: Cisco ISE -version: "1.23.0" +version: "1.23.1" description: Collect logs from Cisco ISE with Elastic Agent. type: integration categories: diff --git a/packages/citrix_waf/changelog.yml b/packages/citrix_waf/changelog.yml index 13e64adbf02..f80cd3d1dc1 100644 --- a/packages/citrix_waf/changelog.yml +++ b/packages/citrix_waf/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.16.1" + changes: + - description: Use triple-brace Mustache templating when referencing variables in ingest pipelines. + type: bugfix + link: https://github.com/elastic/integrations/pull/11286 - version: "1.16.0" changes: - description: "Allow @custom pipeline access to event.original without setting preserve_original_event." diff --git a/packages/citrix_waf/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/citrix_waf/data_stream/log/elasticsearch/ingest_pipeline/default.yml index e16655ea9bd..ea5132f06f9 100644 --- a/packages/citrix_waf/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ b/packages/citrix_waf/data_stream/log/elasticsearch/ingest_pipeline/default.yml @@ -153,4 +153,4 @@ on_failure: value: pipeline_error - append: field: error.message - value: "{{ _ingest.on_failure_message }}" + value: "{{{ _ingest.on_failure_message }}}" diff --git a/packages/citrix_waf/manifest.yml b/packages/citrix_waf/manifest.yml index 70586e92afb..340cb333bbf 100644 --- a/packages/citrix_waf/manifest.yml +++ b/packages/citrix_waf/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.3" name: citrix_waf title: "Citrix Web App Firewall" -version: "1.16.0" +version: "1.16.1" description: Ingest events from Citrix Systems Web App Firewall. type: integration categories: diff --git a/packages/fortinet_forticlient/changelog.yml b/packages/fortinet_forticlient/changelog.yml index 4ac11cf7d5d..1c214f96288 100644 --- a/packages/fortinet_forticlient/changelog.yml +++ b/packages/fortinet_forticlient/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.10.3" + changes: + - description: Use triple-brace Mustache templating when referencing variables in ingest pipelines. + type: bugfix + link: https://github.com/elastic/integrations/pull/11286 - version: "1.10.2" changes: - description: Changed owners diff --git a/packages/fortinet_forticlient/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/fortinet_forticlient/data_stream/log/elasticsearch/ingest_pipeline/default.yml index f214e892929..65f759f81e3 100644 --- a/packages/fortinet_forticlient/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ b/packages/fortinet_forticlient/data_stream/log/elasticsearch/ingest_pipeline/default.yml @@ -62,7 +62,7 @@ processors: ignore_missing: true - append: field: related.hosts - value: '{{host.name}}' + value: '{{{host.name}}}' allow_duplicates: false if: ctx.host?.name != null && ctx.host?.name != '' - remove: diff --git a/packages/fortinet_forticlient/manifest.yml b/packages/fortinet_forticlient/manifest.yml index 7cfeb013177..6e38ae00d1f 100644 --- a/packages/fortinet_forticlient/manifest.yml +++ b/packages/fortinet_forticlient/manifest.yml @@ -1,6 +1,6 @@ name: fortinet_forticlient title: Fortinet FortiClient Logs -version: "1.10.2" +version: "1.10.3" description: Collect logs from Fortinet FortiClient instances with Elastic Agent. type: integration format_version: 2.7.0 diff --git a/packages/fortinet_fortiedr/changelog.yml b/packages/fortinet_fortiedr/changelog.yml index 4ca07de908c..42a6bb0e75c 100644 --- a/packages/fortinet_fortiedr/changelog.yml +++ b/packages/fortinet_fortiedr/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.15.1" + changes: + - description: Use triple-brace Mustache templating when referencing variables in ingest pipelines. + type: bugfix + link: https://github.com/elastic/integrations/pull/11286 - version: "1.15.0" changes: - description: Update package spec to 3.0.3. diff --git a/packages/fortinet_fortiedr/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/fortinet_fortiedr/data_stream/log/elasticsearch/ingest_pipeline/default.yml index 9e2e0814a5a..71430e61923 100644 --- a/packages/fortinet_fortiedr/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ b/packages/fortinet_fortiedr/data_stream/log/elasticsearch/ingest_pipeline/default.yml @@ -189,7 +189,7 @@ processors: if: ctx.user?.id != null - append: field: related.hosts - value: '{{host.name}}' + value: '{{{host.name}}}' allow_duplicates: false if: ctx.host?.name != null && ctx.host?.name != '' - date: diff --git a/packages/fortinet_fortiedr/manifest.yml b/packages/fortinet_fortiedr/manifest.yml index ecbe146d966..98437d3a558 100644 --- a/packages/fortinet_fortiedr/manifest.yml +++ b/packages/fortinet_fortiedr/manifest.yml @@ -1,6 +1,6 @@ name: fortinet_fortiedr title: Fortinet FortiEDR Logs -version: "1.15.0" +version: "1.15.1" description: Collect logs from Fortinet FortiEDR instances with Elastic Agent. type: integration format_version: "3.0.3" diff --git a/packages/fortinet_fortigate/changelog.yml b/packages/fortinet_fortigate/changelog.yml index d5fa9f3487f..36113b955b0 100644 --- a/packages/fortinet_fortigate/changelog.yml +++ b/packages/fortinet_fortigate/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.25.8" + changes: + - description: Use triple-brace Mustache templating when referencing variables in ingest pipelines. + type: bugfix + link: https://github.com/elastic/integrations/pull/11286 - version: "1.25.7" changes: - description: Fixes TLS parsing bug for when tls map is not instantiated yet diff --git a/packages/fortinet_fortigate/data_stream/log/elasticsearch/ingest_pipeline/login.yml b/packages/fortinet_fortigate/data_stream/log/elasticsearch/ingest_pipeline/login.yml index 9d1a63307bf..43b0b92e392 100644 --- a/packages/fortinet_fortigate/data_stream/log/elasticsearch/ingest_pipeline/login.yml +++ b/packages/fortinet_fortigate/data_stream/log/elasticsearch/ingest_pipeline/login.yml @@ -14,15 +14,15 @@ processors: - "authentication" - set: field: "user.name" - value: "{{ source.user.name }}" + value: "{{{ source.user.name }}}" if: ctx.source?.user?.name != null - append: field: "user.roles" - value: "{{ fortinet.firewall.adminprof }}" + value: "{{{ fortinet.firewall.adminprof }}}" if: ctx.fortinet?.firewall?.adminprof != null - append: field: "source.user.roles" - value: "{{ fortinet.firewall.adminprof }}" + value: "{{{ fortinet.firewall.adminprof }}}" if: ctx.fortinet?.firewall?.adminprof != null - dissect: field: "fortinet.firewall.userfrom" @@ -96,12 +96,12 @@ processors: ignore_missing: true - append: field: user.roles - value: "{{ _tmp.user.roles }}" + value: "{{{ _tmp.user.roles }}}" if: ctx._tmp?.user?.roles != null allow_duplicates: false - append: field: source.user.roles - value: "{{ _tmp.user.roles }}" + value: "{{{ _tmp.user.roles }}}" if: ctx._tmp?.user?.roles != null allow_duplicates: false - convert: diff --git a/packages/fortinet_fortigate/manifest.yml b/packages/fortinet_fortigate/manifest.yml index c4914d8ca90..4e56533eb98 100644 --- a/packages/fortinet_fortigate/manifest.yml +++ b/packages/fortinet_fortigate/manifest.yml @@ -1,6 +1,6 @@ name: fortinet_fortigate title: Fortinet FortiGate Firewall Logs -version: "1.25.7" +version: "1.25.8" description: Collect logs from Fortinet FortiGate firewalls with Elastic Agent. type: integration format_version: "3.0.3" diff --git a/packages/juniper_junos/changelog.yml b/packages/juniper_junos/changelog.yml index a79fe5448ab..1625d5c484d 100644 --- a/packages/juniper_junos/changelog.yml +++ b/packages/juniper_junos/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "0.10.3" + changes: + - description: Use triple-brace Mustache templating when referencing variables in ingest pipelines. + type: bugfix + link: https://github.com/elastic/integrations/pull/11286 - version: "0.10.2" changes: - description: Define missing fields diff --git a/packages/juniper_junos/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/juniper_junos/data_stream/log/elasticsearch/ingest_pipeline/default.yml index 14d62312a1e..beb84d23090 100644 --- a/packages/juniper_junos/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ b/packages/juniper_junos/data_stream/log/elasticsearch/ingest_pipeline/default.yml @@ -53,7 +53,7 @@ processors: ignore_missing: true - append: field: related.hosts - value: '{{host.name}}' + value: '{{{host.name}}}' allow_duplicates: false if: ctx.host?.name != null && ctx.host?.name != '' - remove: diff --git a/packages/juniper_junos/manifest.yml b/packages/juniper_junos/manifest.yml index f3b6adfe7f3..9e099ae6cdd 100644 --- a/packages/juniper_junos/manifest.yml +++ b/packages/juniper_junos/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: juniper_junos title: Juniper JunOS (Deprecated) -version: "0.10.2" +version: "0.10.3" description: Deprecated. Use the Juniper SRX package instead. categories: ["network", "security"] release: experimental diff --git a/packages/juniper_netscreen/changelog.yml b/packages/juniper_netscreen/changelog.yml index 6611ab39256..b1e83a1c48a 100644 --- a/packages/juniper_netscreen/changelog.yml +++ b/packages/juniper_netscreen/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "0.10.3" + changes: + - description: Use triple-brace Mustache templating when referencing variables in ingest pipelines. + type: bugfix + link: https://github.com/elastic/integrations/pull/11286 - version: "0.10.2" changes: - description: Define missing fields diff --git a/packages/juniper_netscreen/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/juniper_netscreen/data_stream/log/elasticsearch/ingest_pipeline/default.yml index 1bfe3bff7f3..07e83fee1bd 100644 --- a/packages/juniper_netscreen/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ b/packages/juniper_netscreen/data_stream/log/elasticsearch/ingest_pipeline/default.yml @@ -80,7 +80,7 @@ processors: ignore_missing: true - append: field: related.hosts - value: '{{host.name}}' + value: '{{{host.name}}}' allow_duplicates: false if: ctx.host?.name != null && ctx.host?.name != '' - remove: diff --git a/packages/juniper_netscreen/manifest.yml b/packages/juniper_netscreen/manifest.yml index a338b66fbe0..c3a024c471b 100644 --- a/packages/juniper_netscreen/manifest.yml +++ b/packages/juniper_netscreen/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: juniper_netscreen title: Juniper NetScreen (Deprecated) -version: "0.10.2" +version: "0.10.3" description: Deprecated. Juniper NetScreen is no longer supported. categories: ["network", "security", "firewall_security"] release: experimental diff --git a/packages/juniper_srx/changelog.yml b/packages/juniper_srx/changelog.yml index cead66527f7..816dc77b196 100644 --- a/packages/juniper_srx/changelog.yml +++ b/packages/juniper_srx/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.21.1" + changes: + - description: Use triple-brace Mustache templating when referencing variables in ingest pipelines. + type: bugfix + link: https://github.com/elastic/integrations/pull/11286 - version: "1.21.0" changes: - description: Update package spec to 3.0.3. diff --git a/packages/juniper_srx/data_stream/log/elasticsearch/ingest_pipeline/atp.yml b/packages/juniper_srx/data_stream/log/elasticsearch/ingest_pipeline/atp.yml index a165dc87a40..700ac039240 100644 --- a/packages/juniper_srx/data_stream/log/elasticsearch/ingest_pipeline/atp.yml +++ b/packages/juniper_srx/data_stream/log/elasticsearch/ingest_pipeline/atp.yml @@ -51,7 +51,7 @@ processors: if: "ctx.juniper?.srx?.destination_address != null" - set: field: server.ip - value: '{{destination.ip}}' + value: '{{{destination.ip}}}' if: "ctx.destination?.ip != null" - rename: field: juniper.srx.nat_destination_address @@ -67,7 +67,7 @@ processors: if: "ctx.juniper?.srx?.destination_port != null" - set: field: server.port - value: '{{destination.port}}' + value: '{{{destination.port}}}' if: "ctx.destination?.port != null" - convert: field: server.port @@ -85,7 +85,7 @@ processors: if: "ctx.juniper?.srx?.nat_destination_port != null" - set: field: server.nat.port - value: '{{destination.nat.port}}' + value: '{{{destination.nat.port}}}' if: "ctx.destination?.nat?.port != null" - convert: field: server.nat.port @@ -103,7 +103,7 @@ processors: if: "ctx.juniper?.srx?.bytes_from_server != null" - set: field: server.bytes - value: '{{destination.bytes}}' + value: '{{{destination.bytes}}}' if: "ctx.destination?.bytes != null" - convert: field: server.bytes @@ -121,7 +121,7 @@ processors: if: "ctx.juniper?.srx?.packets_from_server != null" - set: field: server.packets - value: '{{destination.packets}}' + value: '{{{destination.packets}}}' if: "ctx.destination?.packets != null" - convert: field: server.packets @@ -141,7 +141,7 @@ processors: if: "ctx.juniper?.srx?.source_address != null" - set: field: client.ip - value: '{{source.ip}}' + value: '{{{source.ip}}}' if: "ctx.source?.ip != null" - rename: field: juniper.srx.nat_source_address @@ -162,7 +162,7 @@ processors: if: "ctx.juniper?.srx?.source_port != null" - set: field: client.port - value: '{{source.port}}' + value: '{{{source.port}}}' if: "ctx.source?.port != null" - convert: field: client.port @@ -180,7 +180,7 @@ processors: if: "ctx.juniper?.srx?.nat_source_port != null" - set: field: client.nat.port - value: '{{source.nat.port}}' + value: '{{{source.nat.port}}}' if: "ctx.source?.nat?.port != null" - convert: field: client.nat.port @@ -198,7 +198,7 @@ processors: if: "ctx.juniper?.srx?.bytes_from_client != null" - set: field: client.bytes - value: '{{source.bytes}}' + value: '{{{source.bytes}}}' if: "ctx.source?.bytes != null" - convert: field: client.bytes @@ -216,7 +216,7 @@ processors: if: "ctx.juniper?.srx?.packets_from_client != null" - set: field: client.packets - value: '{{source.packets}}' + value: '{{{source.packets}}}' if: "ctx.source?.packets != null" - convert: field: client.packets diff --git a/packages/juniper_srx/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/juniper_srx/data_stream/log/elasticsearch/ingest_pipeline/default.yml index c6f779f54c7..b633ea41a92 100644 --- a/packages/juniper_srx/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ b/packages/juniper_srx/data_stream/log/elasticsearch/ingest_pipeline/default.yml @@ -71,7 +71,7 @@ processors: - MMM d HH:mm:ss - date: if: "ctx?.event?.timezone != null" - timezone: "{{ event.timezone }}" + timezone: "{{{ event.timezone }}}" field: _temp_.raw_date target_field: "@timestamp" formats: @@ -280,55 +280,55 @@ processors: - append: if: 'ctx.source?.ip != null' field: related.ip - value: '{{source.ip}}' + value: '{{{source.ip}}}' ignore_failure: true allow_duplicates: false - append: if: 'ctx.destination?.ip != null' field: related.ip - value: '{{destination.ip}}' + value: '{{{destination.ip}}}' ignore_failure: true allow_duplicates: false - append: if: 'ctx.source?.nat?.ip != null' field: related.ip - value: '{{source.nat.ip}}' + value: '{{{source.nat.ip}}}' ignore_failure: true allow_duplicates: false - append: if: 'ctx?.destination?.nat?.ip != null' field: related.ip - value: '{{destination.nat.ip}}' + value: '{{{destination.nat.ip}}}' ignore_failure: true allow_duplicates: false - append: if: 'ctx.url?.domain != null' field: related.hosts - value: '{{url.domain}}' + value: '{{{url.domain}}}' ignore_failure: true allow_duplicates: false - append: if: 'ctx.source?.domain != null' field: related.hosts - value: '{{source.domain}}' + value: '{{{source.domain}}}' ignore_failure: true allow_duplicates: false - append: if: 'ctx.destination?.domain != null' field: related.hosts - value: '{{destination.domain}}' + value: '{{{destination.domain}}}' ignore_failure: true allow_duplicates: false - append: if: 'ctx?.source?.user?.name != null' field: related.user - value: '{{source.user.name}}' + value: '{{{source.user.name}}}' ignore_failure: true allow_duplicates: false - append: if: 'ctx?.destination?.user?.name != null' field: related.user - value: '{{destination.user.name}}' + value: '{{{destination.user.name}}}' ignore_failure: true allow_duplicates: false - remove: diff --git a/packages/juniper_srx/data_stream/log/elasticsearch/ingest_pipeline/flow.yml b/packages/juniper_srx/data_stream/log/elasticsearch/ingest_pipeline/flow.yml index 5351615c4ab..a11dfa9ffcb 100644 --- a/packages/juniper_srx/data_stream/log/elasticsearch/ingest_pipeline/flow.yml +++ b/packages/juniper_srx/data_stream/log/elasticsearch/ingest_pipeline/flow.yml @@ -63,7 +63,7 @@ processors: if: "ctx.juniper?.srx?.destination_address != null" - set: field: server.ip - value: '{{destination.ip}}' + value: '{{{destination.ip}}}' if: "ctx.destination?.ip != null" - rename: field: juniper.srx.nat_destination_address @@ -79,7 +79,7 @@ processors: if: "ctx.juniper?.srx?.destination_port != null" - set: field: server.port - value: '{{destination.port}}' + value: '{{{destination.port}}}' if: "ctx?.destination?.port != null" - convert: field: server.port @@ -97,7 +97,7 @@ processors: if: "ctx.juniper?.srx?.nat_destination_port != null" - set: field: server.nat.port - value: '{{destination.nat.port}}' + value: '{{{destination.nat.port}}}' if: "ctx.destination?.nat?.port != null" - convert: field: server.nat.port @@ -115,7 +115,7 @@ processors: if: "ctx.juniper?.srx?.bytes_from_server != null" - set: field: server.bytes - value: '{{destination.bytes}}' + value: '{{{destination.bytes}}}' if: "ctx.destination?.bytes != null" - convert: field: server.bytes @@ -133,7 +133,7 @@ processors: if: "ctx.juniper?.srx?.packets_from_server != null" - set: field: server.packets - value: '{{destination.packets}}' + value: '{{{destination.packets}}}' if: "ctx.destination?.packets != null" - convert: field: server.packets @@ -153,7 +153,7 @@ processors: if: "ctx.juniper?.srx?.source_address != null" - set: field: client.ip - value: '{{source.ip}}' + value: '{{{source.ip}}}' if: "ctx.source?.ip != null" - rename: field: juniper.srx.nat_source_address @@ -174,7 +174,7 @@ processors: if: "ctx.juniper?.srx?.source_port != null" - set: field: client.port - value: '{{source.port}}' + value: '{{{source.port}}}' if: "ctx.source?.port != null" - convert: field: client.port @@ -192,7 +192,7 @@ processors: if: "ctx.juniper?.srx?.nat_source_port != null" - set: field: client.nat.port - value: '{{source.nat.port}}' + value: '{{{source.nat.port}}}' if: "ctx.source?.nat?.port != null" - convert: field: client.nat.port @@ -210,7 +210,7 @@ processors: if: "ctx.juniper?.srx?.bytes_from_client != null" - set: field: client.bytes - value: '{{source.bytes}}' + value: '{{{source.bytes}}}' if: "ctx.source?.bytes != null" - convert: field: client.bytes @@ -228,7 +228,7 @@ processors: if: "ctx.juniper?.srx?.packets_from_client != null" - set: field: client.packets - value: '{{source.packets}}' + value: '{{{source.packets}}}' if: "ctx.source?.packets != null" - convert: field: client.packets diff --git a/packages/juniper_srx/data_stream/log/elasticsearch/ingest_pipeline/idp.yml b/packages/juniper_srx/data_stream/log/elasticsearch/ingest_pipeline/idp.yml index a473510d83c..51637f35cf5 100644 --- a/packages/juniper_srx/data_stream/log/elasticsearch/ingest_pipeline/idp.yml +++ b/packages/juniper_srx/data_stream/log/elasticsearch/ingest_pipeline/idp.yml @@ -55,7 +55,7 @@ processors: if: "ctx.juniper?.srx?.destination_address != null" - set: field: server.ip - value: '{{destination.ip}}' + value: '{{{destination.ip}}}' if: "ctx.destination?.ip != null" - rename: field: juniper.srx.nat_destination_address @@ -71,7 +71,7 @@ processors: if: "ctx.juniper?.srx?.destination_port != null" - set: field: server.port - value: '{{destination.port}}' + value: '{{{destination.port}}}' if: "ctx.destination?.port != null" - convert: field: server.port @@ -89,7 +89,7 @@ processors: if: "ctx.juniper?.srx['nat_destination_port'] != null" - set: field: server.nat.port - value: '{{destination.nat.port}}' + value: '{{{destination.nat.port}}}' if: "ctx.destination?.nat?.port != null" - convert: field: server.nat.port @@ -107,7 +107,7 @@ processors: if: "ctx.juniper?.srx?.inbound_bytes != null" - set: field: server.bytes - value: '{{destination.bytes}}' + value: '{{{destination.bytes}}}' if: "ctx.destination?.bytes != null" - convert: field: server.bytes @@ -125,7 +125,7 @@ processors: if: "ctx.juniper?.srx?.inbound_packets !=null" - set: field: server.packets - value: '{{destination.packets}}' + value: '{{{destination.packets}}}' if: "ctx.destination?.packets != null" - convert: field: server.packets @@ -145,7 +145,7 @@ processors: if: "ctx.juniper?.srx?.source_address != null" - set: field: client.ip - value: '{{source.ip}}' + value: '{{{source.ip}}}' if: "ctx.source?.ip != null" - rename: field: juniper.srx.nat_source_address @@ -166,7 +166,7 @@ processors: if: "ctx.juniper?.srx?.source_port != null" - set: field: client.port - value: '{{source.port}}' + value: '{{{source.port}}}' if: "ctx.source?.port != null" - convert: field: client.port @@ -184,7 +184,7 @@ processors: if: "ctx.juniper?.srx?.nat_source_port != null" - set: field: client.nat.port - value: '{{source.nat.port}}' + value: '{{{source.nat.port}}}' if: "ctx.source?.nat?.port != null" - convert: field: client.nat.port @@ -202,7 +202,7 @@ processors: if: "ctx.juniper?.srx?.outbound_bytes != null" - set: field: client.bytes - value: '{{source.bytes}}' + value: '{{{source.bytes}}}' if: "ctx.source?.bytes != null" - convert: field: client.bytes @@ -220,7 +220,7 @@ processors: if: "ctx.juniper?.srx?.outbound_packets != null" - set: field: client.packets - value: '{{source.packets}}' + value: '{{{source.packets}}}' if: "ctx.source?.packets != null" - convert: field: client.packets diff --git a/packages/juniper_srx/data_stream/log/elasticsearch/ingest_pipeline/ids.yml b/packages/juniper_srx/data_stream/log/elasticsearch/ingest_pipeline/ids.yml index c007b58f1e8..d54b4037d1d 100644 --- a/packages/juniper_srx/data_stream/log/elasticsearch/ingest_pipeline/ids.yml +++ b/packages/juniper_srx/data_stream/log/elasticsearch/ingest_pipeline/ids.yml @@ -83,7 +83,7 @@ processors: if: "ctx.juniper?.srx?.destination_address != null" - set: field: server.ip - value: '{{destination.ip}}' + value: '{{{destination.ip}}}' if: "ctx.destination?.ip != null" - rename: field: juniper.srx.nat_destination_address @@ -99,7 +99,7 @@ processors: if: "ctx.juniper?.srx?.destination_port != null" - set: field: server.port - value: '{{destination.port}}' + value: '{{{destination.port}}}' if: "ctx.destination?.port != null" - convert: field: server.port @@ -117,7 +117,7 @@ processors: if: "ctx.juniper?.srx?.nat_destination_port != null" - set: field: server.nat.port - value: '{{destination.nat.port}}' + value: '{{{destination.nat.port}}}' if: "ctx.destination?.nat?.port != null" - convert: field: server.nat.port @@ -135,7 +135,7 @@ processors: if: "ctx.juniper?.srx?.bytes_from_server != null" - set: field: server.bytes - value: '{{destination.bytes}}' + value: '{{{destination.bytes}}}' if: "ctx.destination?.bytes != null" - convert: field: server.bytes @@ -153,7 +153,7 @@ processors: if: "ctx.juniper?.srx?.packets_from_server !=null" - set: field: server.packets - value: '{{destination.packets}}' + value: '{{{destination.packets}}}' if: "ctx.destination?.packets != null" - convert: field: server.packets @@ -173,7 +173,7 @@ processors: if: "ctx.juniper?.srx?.source_address != null" - set: field: client.ip - value: '{{source.ip}}' + value: '{{{source.ip}}}' if: "ctx.source?.ip != null" - rename: field: juniper.srx.nat_source_address @@ -194,7 +194,7 @@ processors: if: "ctx.juniper?.srx?.source_port != null" - set: field: client.port - value: '{{source.port}}' + value: '{{{source.port}}}' if: "ctx.source?.port != null" - convert: field: client.port @@ -212,7 +212,7 @@ processors: if: "ctx.juniper?.srx?.nat_source_port != null" - set: field: client.nat.port - value: '{{source.nat.port}}' + value: '{{{source.nat.port}}}' if: "ctx.source?.nat?.port != null" - convert: field: client.nat.port @@ -230,7 +230,7 @@ processors: if: "ctx.juniper?.srx?.bytes_from_client != null" - set: field: client.bytes - value: '{{source.bytes}}' + value: '{{{source.bytes}}}' if: "ctx.source?.bytes != null" - convert: field: client.bytes @@ -248,7 +248,7 @@ processors: if: "ctx.juniper?.srx?.packets_from_client != null" - set: field: client.packets - value: '{{source.packets}}' + value: '{{{source.packets}}}' if: "ctx.source?.packets != null" - convert: field: client.packets diff --git a/packages/juniper_srx/data_stream/log/elasticsearch/ingest_pipeline/secintel.yml b/packages/juniper_srx/data_stream/log/elasticsearch/ingest_pipeline/secintel.yml index 782d139680e..b9dbbeabda8 100644 --- a/packages/juniper_srx/data_stream/log/elasticsearch/ingest_pipeline/secintel.yml +++ b/packages/juniper_srx/data_stream/log/elasticsearch/ingest_pipeline/secintel.yml @@ -51,7 +51,7 @@ processors: if: "ctx.juniper?.srx?.destination_address != null" - set: field: server.ip - value: '{{destination.ip}}' + value: '{{{destination.ip}}}' if: "ctx.destination?.ip != null" - rename: field: juniper.srx.nat_destination_address @@ -67,7 +67,7 @@ processors: if: "ctx.juniper?.srx?.destination_port != null" - set: field: server.port - value: '{{destination.port}}' + value: '{{{destination.port}}}' if: "ctx.destination?.port != null" - convert: field: server.port @@ -85,7 +85,7 @@ processors: if: "ctx.juniper?.srx?.nat_destination_port != null" - set: field: server.nat.port - value: '{{destination.nat.port}}' + value: '{{{destination.nat.port}}}' if: "ctx.destination?.nat?.port != null" - convert: field: server.nat.port @@ -103,7 +103,7 @@ processors: if: "ctx.juniper?.srx?.bytes_from_server != null" - set: field: server.bytes - value: '{{destination.bytes}}' + value: '{{{destination.bytes}}}' if: "ctx.destination?.bytes != null" - convert: field: server.bytes @@ -121,7 +121,7 @@ processors: if: "ctx.juniper?.srx?.packets_from_server !=null" - set: field: server.packets - value: '{{destination.packets}}' + value: '{{{destination.packets}}}' if: "ctx.destination?.packets != null" - convert: field: server.packets @@ -141,7 +141,7 @@ processors: if: "ctx.juniper?.srx?.source_address != null" - set: field: client.ip - value: '{{source.ip}}' + value: '{{{source.ip}}}' if: "ctx.source?.ip != null" - rename: field: juniper.srx.nat_source_address @@ -162,7 +162,7 @@ processors: if: "ctx.juniper?.srx?.source_port != null" - set: field: client.port - value: '{{source.port}}' + value: '{{{source.port}}}' if: "ctx.source?.port != null" - convert: field: client.port @@ -180,7 +180,7 @@ processors: if: "ctx.juniper?.srx?.nat_source_port != null" - set: field: client.nat.port - value: '{{source.nat.port}}' + value: '{{{source.nat.port}}}' if: "ctx.source?.nat?.port != null" - convert: field: client.nat.port @@ -198,7 +198,7 @@ processors: if: "ctx.juniper?.srx?.bytes_from_client != null" - set: field: client.bytes - value: '{{source.bytes}}' + value: '{{{source.bytes}}}' if: "ctx.source?.bytes != null" - convert: field: client.bytes @@ -216,7 +216,7 @@ processors: if: "ctx.juniper?.srx?.packets_from_client != null" - set: field: client.packets - value: '{{source.packets}}' + value: '{{{source.packets}}}' if: "ctx.source?.packets != null" - convert: field: client.packets diff --git a/packages/juniper_srx/data_stream/log/elasticsearch/ingest_pipeline/system.yml b/packages/juniper_srx/data_stream/log/elasticsearch/ingest_pipeline/system.yml index 7b5ae8e6f09..940dab42c27 100644 --- a/packages/juniper_srx/data_stream/log/elasticsearch/ingest_pipeline/system.yml +++ b/packages/juniper_srx/data_stream/log/elasticsearch/ingest_pipeline/system.yml @@ -431,7 +431,7 @@ processors: if: "ctx.destination?.ip == null && ctx.juniper?.srx?.firewall?.dst_addr != null" - set: field: server.ip - value: '{{destination.ip}}' + value: '{{{destination.ip}}}' if: "ctx.destination?.ip != null" - rename: field: juniper.srx.nat_remote_address @@ -467,7 +467,7 @@ processors: value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - set: field: server.port - value: '{{destination.port}}' + value: '{{{destination.port}}}' if: "ctx.destination?.port != null" - convert: field: server.port @@ -493,7 +493,7 @@ processors: value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - set: field: server.nat.port - value: '{{destination.nat.port}}' + value: '{{{destination.nat.port}}}' if: "ctx.destination?.nat?.port != null" - convert: field: server.nat.port @@ -519,7 +519,7 @@ processors: value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - set: field: server.bytes - value: '{{destination.bytes}}' + value: '{{{destination.bytes}}}' if: "ctx.destination?.bytes != null" - convert: field: server.bytes @@ -545,7 +545,7 @@ processors: value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - set: field: server.packets - value: '{{destination.packets}}' + value: '{{{destination.packets}}}' if: "ctx.destination?.packets != null" - convert: field: server.packets @@ -579,7 +579,7 @@ processors: if: "ctx.juniper?.srx?.firewall?.src_addr != null" - set: field: client.ip - value: '{{source.ip}}' + value: '{{{source.ip}}}' if: "ctx.source?.ip != null" - rename: field: juniper.srx.nat_local_address @@ -620,7 +620,7 @@ processors: value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - set: field: client.port - value: '{{source.port}}' + value: '{{{source.port}}}' if: "ctx.source?.port != null" - convert: field: client.port @@ -646,7 +646,7 @@ processors: value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - set: field: client.nat.port - value: '{{source.nat.port}}' + value: '{{{source.nat.port}}}' if: "ctx.source?.nat?.port != null" - convert: field: client.nat.port @@ -672,7 +672,7 @@ processors: value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - set: field: client.bytes - value: '{{source.bytes}}' + value: '{{{source.bytes}}}' if: "ctx.source?.bytes != null" - convert: field: client.bytes @@ -709,7 +709,7 @@ processors: value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - set: field: client.packets - value: '{{source.packets}}' + value: '{{{source.packets}}}' if: "ctx.source?.packets != null" - convert: field: client.packets @@ -734,12 +734,12 @@ processors: - append: if: 'ctx.juniper?.srx?.system?.local_gateway != null' field: related.ip - value: '{{juniper.srx.system.local_gateway}}' + value: '{{{juniper.srx.system.local_gateway}}}' allow_duplicates: false - append: if: 'ctx.juniper?.srx?.system?.remote_gateway != null' field: related.ip - value: '{{juniper.srx.system.remote_gateway}}' + value: '{{{juniper.srx.system.remote_gateway}}}' allow_duplicates: false ###################### diff --git a/packages/juniper_srx/data_stream/log/elasticsearch/ingest_pipeline/utm.yml b/packages/juniper_srx/data_stream/log/elasticsearch/ingest_pipeline/utm.yml index 92f8ab807b6..f9452f64d47 100644 --- a/packages/juniper_srx/data_stream/log/elasticsearch/ingest_pipeline/utm.yml +++ b/packages/juniper_srx/data_stream/log/elasticsearch/ingest_pipeline/utm.yml @@ -69,7 +69,7 @@ processors: if: "ctx.juniper?.srx?.destination_address != null" - set: field: server.ip - value: '{{destination.ip}}' + value: '{{{destination.ip}}}' if: "ctx.destination?.ip != null" - rename: field: juniper.srx.nat_destination_address @@ -85,7 +85,7 @@ processors: if: "ctx.juniper?.srx?.destination_port != null" - set: field: server.port - value: '{{destination.port}}' + value: '{{{destination.port}}}' if: "ctx.destination?.port != null" - convert: field: server.port @@ -103,7 +103,7 @@ processors: if: "ctx.juniper?.srx?.nat_destination_port != null" - set: field: server.nat.port - value: '{{destination.nat.port}}' + value: '{{{destination.nat.port}}}' if: "ctx.destination?.nat?.port != null" - convert: field: server.nat.port @@ -121,7 +121,7 @@ processors: if: "ctx.juniper?.srx?.bytes_from_server != null" - set: field: server.bytes - value: '{{destination.bytes}}' + value: '{{{destination.bytes}}}' if: "ctx.destination?.bytes != null" - convert: field: server.bytes @@ -139,7 +139,7 @@ processors: if: "ctx.juniper?.srx?.packets_from_server !=null" - set: field: server.packets - value: '{{destination.packets}}' + value: '{{{destination.packets}}}' if: "ctx.destination?.packets != null" - convert: field: server.packets @@ -159,7 +159,7 @@ processors: if: "ctx.juniper?.srx?.source_address != null" - set: field: client.ip - value: '{{source.ip}}' + value: '{{{source.ip}}}' if: "ctx.source?.ip != null" - rename: field: juniper.srx.nat_source_address @@ -180,7 +180,7 @@ processors: if: "ctx.juniper?.srx?.source_port != null" - set: field: client.port - value: '{{source.port}}' + value: '{{{source.port}}}' if: "ctx.source?.port != null" - convert: field: client.port @@ -198,7 +198,7 @@ processors: if: "ctx.juniper?.srx?.nat_source_port != null" - set: field: client.nat.port - value: '{{source.nat.port}}' + value: '{{{source.nat.port}}}' if: "ctx.source?.nat?.port != null" - convert: field: client.nat.port @@ -216,7 +216,7 @@ processors: if: "ctx.juniper?.srx?.bytes_from_client != null" - set: field: client.bytes - value: '{{source.bytes}}' + value: '{{{source.bytes}}}' if: "ctx.source?.bytes != null" - convert: field: client.bytes @@ -234,7 +234,7 @@ processors: if: "ctx.juniper?.srx?.packets_from_client != null" - set: field: client.packets - value: '{{source.packets}}' + value: '{{{source.packets}}}' if: "ctx.source?.packets != null" - convert: field: client.packets diff --git a/packages/juniper_srx/manifest.yml b/packages/juniper_srx/manifest.yml index e57fbed7a04..64c2fe3b761 100644 --- a/packages/juniper_srx/manifest.yml +++ b/packages/juniper_srx/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.3" name: juniper_srx title: Juniper SRX -version: "1.21.0" +version: "1.21.1" description: Collect logs from Juniper SRX devices with Elastic Agent. categories: ["network", "security", "firewall_security"] type: integration diff --git a/packages/modsecurity/changelog.yml b/packages/modsecurity/changelog.yml index fc1c67fb45f..8bc64ac1d76 100644 --- a/packages/modsecurity/changelog.yml +++ b/packages/modsecurity/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.18.1" + changes: + - description: Use triple-brace Mustache templating when referencing variables in ingest pipelines. + type: bugfix + link: https://github.com/elastic/integrations/pull/11286 - version: "1.18.0" changes: - description: Update package spec to 3.0.3. diff --git a/packages/modsecurity/data_stream/auditlog/elasticsearch/ingest_pipeline/apache-modsec.yml b/packages/modsecurity/data_stream/auditlog/elasticsearch/ingest_pipeline/apache-modsec.yml index 058223370e1..cf9c545650f 100644 --- a/packages/modsecurity/data_stream/auditlog/elasticsearch/ingest_pipeline/apache-modsec.yml +++ b/packages/modsecurity/data_stream/auditlog/elasticsearch/ingest_pipeline/apache-modsec.yml @@ -41,7 +41,7 @@ processors: - date: field: _temps.date - timezone: "{{ event.timezone }}" + timezone: "{{{ event.timezone }}}" formats: - d/MMM/yyyy:HH:mm:ss - d/MMM/yyyy:HH:mm:ss Z diff --git a/packages/modsecurity/data_stream/auditlog/elasticsearch/ingest_pipeline/nginx-modsec.yml b/packages/modsecurity/data_stream/auditlog/elasticsearch/ingest_pipeline/nginx-modsec.yml index 2ccf8c39c6e..05d694cf256 100644 --- a/packages/modsecurity/data_stream/auditlog/elasticsearch/ingest_pipeline/nginx-modsec.yml +++ b/packages/modsecurity/data_stream/auditlog/elasticsearch/ingest_pipeline/nginx-modsec.yml @@ -31,7 +31,7 @@ processors: - date: field: _temps.date - timezone: "{{ event.timezone }}" + timezone: "{{{ event.timezone }}}" formats: - E MMM dd HH:mm:ss yyyy - E MMM d HH:mm:ss yyyy diff --git a/packages/modsecurity/manifest.yml b/packages/modsecurity/manifest.yml index 19380866fc9..206410ee5af 100644 --- a/packages/modsecurity/manifest.yml +++ b/packages/modsecurity/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.3" name: modsecurity title: "ModSecurity Audit" -version: "1.18.0" +version: "1.18.1" description: Collect logs from ModSecurity with Elastic Agent type: integration categories: diff --git a/packages/netflow/changelog.yml b/packages/netflow/changelog.yml index 80e792bb7a0..95e2ce77295 100644 --- a/packages/netflow/changelog.yml +++ b/packages/netflow/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.19.1" + changes: + - description: Use triple-brace Mustache templating when referencing variables in ingest pipelines. + type: bugfix + link: https://github.com/elastic/integrations/pull/11286 - version: "2.19.0" changes: - description: Append all ip addresses found to related.ip field. diff --git a/packages/netflow/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/netflow/data_stream/log/elasticsearch/ingest_pipeline/default.yml index 761ff7f3d3b..ed3e09771ea 100644 --- a/packages/netflow/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ b/packages/netflow/data_stream/log/elasticsearch/ingest_pipeline/default.yml @@ -16,7 +16,7 @@ processors: ignore_missing: true - append: field: observer.ip - value: '{{_tmp_.observer.ip}}' + value: '{{{_tmp_.observer.ip}}}' if: ctx._tmp_?.observer?.ip != null - set: field: event.category @@ -26,7 +26,7 @@ processors: if: ctx.event?.category != null && ctx.event?.category == "network_session" - append: field: related.ip - value: '{{_tmp_.observer.ip}}' + value: '{{{_tmp_.observer.ip}}}' allow_duplicates: false if: (ctx._tmp_?.observer?.ip != null) - script: diff --git a/packages/netflow/manifest.yml b/packages/netflow/manifest.yml index 4ea19548e98..01f0dc2fa22 100644 --- a/packages/netflow/manifest.yml +++ b/packages/netflow/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.3" name: netflow title: NetFlow Records -version: "2.19.0" +version: "2.19.1" description: Collect flow records from NetFlow and IPFIX exporters with Elastic Agent. type: integration categories: diff --git a/packages/netscout/changelog.yml b/packages/netscout/changelog.yml index 1161d3949db..0fc2562369b 100644 --- a/packages/netscout/changelog.yml +++ b/packages/netscout/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "0.20.1" + changes: + - description: Use triple-brace Mustache templating when referencing variables in ingest pipelines. + type: bugfix + link: https://github.com/elastic/integrations/pull/11286 - version: "0.20.0" changes: - description: Deprecate package. diff --git a/packages/netscout/data_stream/sightline/elasticsearch/ingest_pipeline/default.yml b/packages/netscout/data_stream/sightline/elasticsearch/ingest_pipeline/default.yml index 09856ca9711..df70c664530 100644 --- a/packages/netscout/data_stream/sightline/elasticsearch/ingest_pipeline/default.yml +++ b/packages/netscout/data_stream/sightline/elasticsearch/ingest_pipeline/default.yml @@ -54,7 +54,7 @@ processors: ignore_missing: true - append: field: related.hosts - value: '{{host.name}}' + value: '{{{host.name}}}' allow_duplicates: false if: ctx.host?.name != null && ctx.host?.name != '' - remove: diff --git a/packages/netscout/manifest.yml b/packages/netscout/manifest.yml index 77fee095b6a..ca20788912b 100644 --- a/packages/netscout/manifest.yml +++ b/packages/netscout/manifest.yml @@ -1,7 +1,7 @@ format_version: 2.7.0 name: netscout title: Arbor Peakflow SP Logs (Deprecated) -version: "0.20.0" +version: "0.20.1" description: Deprecated. Netscout Arbor Peakflow SP is no longer supported. categories: ["security", "network"] type: integration diff --git a/packages/osquery/changelog.yml b/packages/osquery/changelog.yml index 83e2b5f41b9..ead49244af2 100644 --- a/packages/osquery/changelog.yml +++ b/packages/osquery/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.19.1" + changes: + - description: Use triple-brace Mustache templating when referencing variables in ingest pipelines. + type: bugfix + link: https://github.com/elastic/integrations/pull/11286 - version: "1.19.0" changes: - description: Update package spec to 3.0.3. diff --git a/packages/osquery/data_stream/result/elasticsearch/ingest_pipeline/default.yml b/packages/osquery/data_stream/result/elasticsearch/ingest_pipeline/default.yml index aea17406ba2..2d262f20724 100644 --- a/packages/osquery/data_stream/result/elasticsearch/ingest_pipeline/default.yml +++ b/packages/osquery/data_stream/result/elasticsearch/ingest_pipeline/default.yml @@ -69,7 +69,7 @@ processors: value: info - set: field: event.action - value: "{{osquery.result.action}}" + value: "{{{osquery.result.action}}}" ignore_empty_value: true - date: field: osquery.result.columns.atime @@ -94,72 +94,72 @@ processors: if: ctx?.osquery?.result?.columns?.mtime != null - set: field: file.directory - value: "{{osquery.result.columns.directory}}" + value: "{{{osquery.result.columns.directory}}}" ignore_empty_value: true - set: field: file.name - value: "{{osquery.result.columns.filename}}" + value: "{{{osquery.result.columns.filename}}}" ignore_empty_value: true - set: field: file.gid - value: "{{osquery.result.columns.gid}}" + value: "{{{osquery.result.columns.gid}}}" ignore_empty_value: true - set: field: file.inode - value: "{{osquery.result.columns.inode}}" + value: "{{{osquery.result.columns.inode}}}" ignore_empty_value: true - set: field: file.mode - value: "{{osquery.result.columns.mode}}" + value: "{{{osquery.result.columns.mode}}}" ignore_empty_value: true - set: field: file.path - value: "{{osquery.result.columns.path}}" + value: "{{{osquery.result.columns.path}}}" ignore_empty_value: true - set: field: file.size - value: "{{osquery.result.columns.size}}" + value: "{{{osquery.result.columns.size}}}" ignore_empty_value: true - set: field: file.type - value: "{{osquery.result.columns.type}}" + value: "{{{osquery.result.columns.type}}}" ignore_empty_value: true - set: field: file.uid - value: "{{osquery.result.columns.uid}}" + value: "{{{osquery.result.columns.uid}}}" ignore_empty_value: true - set: field: user.name - value: "{{osquery.result.decorations.username}}" + value: "{{{osquery.result.decorations.username}}}" ignore_empty_value: true - append: field: related.user - value: "{{user.name}}" + value: "{{{user.name}}}" if: ctx?.user?.name != null - set: field: host.hostname - value: "{{osquery.result.host_identifier}}" + value: "{{{osquery.result.host_identifier}}}" ignore_empty_value: true - set: field: host.id - value: "{{osquery.result.decorations.host_uuid}}" + value: "{{{osquery.result.decorations.host_uuid}}}" ignore_empty_value: true - set: field: process.name - value: "{{osquery.result.columns.process}}" + value: "{{{osquery.result.columns.process}}}" ignore_empty_value: true - set: field: url.full - value: "{{osquery.result.columns.source_url}}" + value: "{{{osquery.result.columns.source_url}}}" if: ctx?.osquery?.result?.columns?.source_url != 'null' ignore_empty_value: true - set: field: rule.name - value: "{{osquery.result.name}}" + value: "{{{osquery.result.name}}}" ignore_empty_value: true - append: field: related.hosts - value: "{{host.hostname}}" + value: "{{{host.hostname}}}" if: ctx?.host?.hostname != null && ctx.host?.hostname != '' allow_duplicates: false - convert: diff --git a/packages/osquery/manifest.yml b/packages/osquery/manifest.yml index 3a836d763d8..2d9c4e78c8f 100644 --- a/packages/osquery/manifest.yml +++ b/packages/osquery/manifest.yml @@ -1,6 +1,6 @@ name: osquery title: Osquery Logs -version: "1.19.0" +version: "1.19.1" description: Collect logs from Osquery with Elastic Agent. type: integration icons: diff --git a/packages/pfsense/changelog.yml b/packages/pfsense/changelog.yml index c91bd7f1082..76855fe85c4 100644 --- a/packages/pfsense/changelog.yml +++ b/packages/pfsense/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.20.1" + changes: + - description: Use triple-brace Mustache templating when referencing variables in ingest pipelines. + type: bugfix + link: https://github.com/elastic/integrations/pull/11286 - version: "1.20.0" changes: - description: Add SNORT log processing diff --git a/packages/pfsense/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/pfsense/data_stream/log/elasticsearch/ingest_pipeline/default.yml index de94cc13bc3..afd4477b368 100644 --- a/packages/pfsense/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ b/packages/pfsense/data_stream/log/elasticsearch/ingest_pipeline/default.yml @@ -20,7 +20,7 @@ processors: value: event - set: field: event.timezone - value: "{{_tmp.tz_offset}}" + value: "{{{_tmp.tz_offset}}}" if: ctx._tmp?.tz_offset != null && ctx._tmp?.tz_offset != 'local' - grok: description: Parse syslog header @@ -54,7 +54,7 @@ processors: - MMM d HH:mm:ss - MMM d HH:mm:ss - MMM dd HH:mm:ss - timezone: '{{ event.timezone }}' + timezone: '{{{ event.timezone }}}' - grok: description: Set Event Provider field: process.name @@ -170,26 +170,26 @@ processors: ignore_empty_value: true - append: field: related.ip - value: "{{destination.ip}}" + value: "{{{destination.ip}}}" allow_duplicates: false if: ctx.destination?.ip != null - append: field: related.ip - value: "{{source.ip}}" + value: "{{{source.ip}}}" allow_duplicates: false if: ctx.source?.ip != null - append: field: related.ip - value: "{{source.nat.ip}}" + value: "{{{source.nat.ip}}}" allow_duplicates: false if: ctx.source?.nat?.ip != null - append: field: related.hosts - value: "{{destination.domain}}" + value: "{{{destination.domain}}}" if: "ctx.destination?.domain != null" - append: field: related.user - value: "{{user.name}}" + value: "{{{user.name}}}" if: "ctx.user?.name != null" - set: field: network.direction diff --git a/packages/pfsense/data_stream/log/elasticsearch/ingest_pipeline/dhcp.yml b/packages/pfsense/data_stream/log/elasticsearch/ingest_pipeline/dhcp.yml index bfa44b931fc..517a380e1a1 100644 --- a/packages/pfsense/data_stream/log/elasticsearch/ingest_pipeline/dhcp.yml +++ b/packages/pfsense/data_stream/log/elasticsearch/ingest_pipeline/dhcp.yml @@ -84,7 +84,7 @@ processors: ignore_empty_value: true - append: field: related.hosts - value: "{{pfsense.dhcp.hostname}}" + value: "{{{pfsense.dhcp.hostname}}}" allow_duplicates: false if: "ctx.pfsense?.log?.dhcp?.hostname != null" on_failure: diff --git a/packages/pfsense/data_stream/log/elasticsearch/ingest_pipeline/haproxy.yml b/packages/pfsense/data_stream/log/elasticsearch/ingest_pipeline/haproxy.yml index a0c8208b150..bce0e8953fd 100644 --- a/packages/pfsense/data_stream/log/elasticsearch/ingest_pipeline/haproxy.yml +++ b/packages/pfsense/data_stream/log/elasticsearch/ingest_pipeline/haproxy.yml @@ -40,7 +40,7 @@ processors: formats: - dd/MMM/yyyy:HH:mm:ss.SSS - MMM dd HH:mm:ss - timezone: '{{ event.timezone }}' + timezone: '{{{ event.timezone }}}' - remove: field: haproxy.request_date ignore_missing: true diff --git a/packages/pfsense/data_stream/log/elasticsearch/ingest_pipeline/ipsec.yml b/packages/pfsense/data_stream/log/elasticsearch/ingest_pipeline/ipsec.yml index 53e95fdb4dd..b5099b6ba4f 100644 --- a/packages/pfsense/data_stream/log/elasticsearch/ingest_pipeline/ipsec.yml +++ b/packages/pfsense/data_stream/log/elasticsearch/ingest_pipeline/ipsec.yml @@ -22,11 +22,11 @@ processors: if: ctx.message.toLowerCase().contains('disconnected') - set: field: source.ip - value: "{{source.address}}" + value: "{{{source.address}}}" ignore_empty_value: true - set: field: destination.ip - value: "{{destination.address}}" + value: "{{{destination.address}}}" ignore_empty_value: true - set: field: network.protocol diff --git a/packages/pfsense/data_stream/log/elasticsearch/ingest_pipeline/openvpn.yml b/packages/pfsense/data_stream/log/elasticsearch/ingest_pipeline/openvpn.yml index 51655318b08..ee893ee37d9 100644 --- a/packages/pfsense/data_stream/log/elasticsearch/ingest_pipeline/openvpn.yml +++ b/packages/pfsense/data_stream/log/elasticsearch/ingest_pipeline/openvpn.yml @@ -39,7 +39,7 @@ processors: if: ctx.message.toLowerCase().contains('initiat') - set: field: source.ip - value: "{{source.address}}" + value: "{{{source.address}}}" ignore_empty_value: true - set: field: network.protocol diff --git a/packages/pfsense/manifest.yml b/packages/pfsense/manifest.yml index 32e544ce313..5a75792946b 100644 --- a/packages/pfsense/manifest.yml +++ b/packages/pfsense/manifest.yml @@ -1,6 +1,6 @@ name: pfsense title: pfSense -version: "1.20.0" +version: "1.20.1" description: Collect logs from pfSense and OPNsense with Elastic Agent. type: integration icons: diff --git a/packages/qnap_nas/changelog.yml b/packages/qnap_nas/changelog.yml index 0e02acd1c84..b7fbcacc0cd 100644 --- a/packages/qnap_nas/changelog.yml +++ b/packages/qnap_nas/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.20.1" + changes: + - description: Use triple-brace Mustache templating when referencing variables in ingest pipelines. + type: bugfix + link: https://github.com/elastic/integrations/pull/11286 - version: "1.20.0" changes: - description: Update package spec to 3.0.3. diff --git a/packages/qnap_nas/data_stream/log/_dev/test/pipeline/test-access.log-expected.json b/packages/qnap_nas/data_stream/log/_dev/test/pipeline/test-access.log-expected.json index 55d62ac0559..75f1d708d0e 100644 --- a/packages/qnap_nas/data_stream/log/_dev/test/pipeline/test-access.log-expected.json +++ b/packages/qnap_nas/data_stream/log/_dev/test/pipeline/test-access.log-expected.json @@ -1,7 +1,7 @@ { "expected": [ { - "@timestamp": "2023-10-30T20:24:24.000-05:00", + "@timestamp": "2024-10-30T20:24:24.000-05:00", "ecs": { "version": "8.11.0" }, @@ -10,7 +10,7 @@ "category": [ "file" ], - "created": "2023-10-30T20:24:24.000-05:00", + "created": "2024-10-30T20:24:24.000-05:00", "kind": "event", "original": "<30>Oct 30 20:24:24 qnap-nas01 qulogd[14629]: conn log: Users: admin.user, Source IP: 10.50.36.33, Computer name: user-laptop, Connection type: Samba, Accessed resources: path/to/files/New folder, Action: Create Directory", "provider": "conn-log", @@ -71,7 +71,7 @@ } }, { - "@timestamp": "2023-10-30T20:24:25.000-05:00", + "@timestamp": "2024-10-30T20:24:25.000-05:00", "ecs": { "version": "8.11.0" }, @@ -80,7 +80,7 @@ "category": [ "authentication" ], - "created": "2023-10-30T20:24:25.000-05:00", + "created": "2024-10-30T20:24:25.000-05:00", "kind": "event", "original": "<30>Oct 30 20:24:25 qnap-nas01 qulogd[14629]: conn log: Users: guest, Source IP: 10.50.36.33, Computer name: user-laptop, Connection type: Samba, Accessed resources: ---, Action: Login Fail", "outcome": "failure", @@ -136,7 +136,7 @@ } }, { - "@timestamp": "2023-10-30T20:35:25.000-05:00", + "@timestamp": "2024-10-30T20:35:25.000-05:00", "ecs": { "version": "8.11.0" }, @@ -145,7 +145,7 @@ "category": [ "authentication" ], - "created": "2023-10-30T20:35:25.000-05:00", + "created": "2024-10-30T20:35:25.000-05:00", "kind": "event", "original": "<30>Oct 30 20:35:25 qnap-nas01 qulogd[14629]: conn log: Users: guest, Source IP: 10.50.36.33, Computer name: user-laptop, Connection type: Samba, Accessed resources: ---, Action: Login Success", "outcome": "success", @@ -201,7 +201,7 @@ } }, { - "@timestamp": "2023-11-21T14:42:18.000-05:00", + "@timestamp": "2024-11-21T14:42:18.000-05:00", "ecs": { "version": "8.11.0" }, @@ -210,7 +210,7 @@ "category": [ "authentication" ], - "created": "2023-11-21T14:42:18.000-05:00", + "created": "2024-11-21T14:42:18.000-05:00", "kind": "event", "original": "<30>Nov 21 14:42:18 qnap-nas01 qulogd[14387]: conn log: Users: admin.user, Source IP: 10.50.36.33, Computer name: ---, Connection type: HTTP/HTTPS, Accessed resources: Administration, Action: Login Success", "outcome": "success", @@ -263,7 +263,7 @@ } }, { - "@timestamp": "2023-10-30T20:35:25.000-05:00", + "@timestamp": "2024-10-30T20:35:25.000-05:00", "ecs": { "version": "8.11.0" }, @@ -272,7 +272,7 @@ "category": [ "authentication" ], - "created": "2023-10-30T20:35:25.000-05:00", + "created": "2024-10-30T20:35:25.000-05:00", "kind": "event", "original": "<30>Oct 30 20:35:25 qnap-nas01 qulogd[14629]: conn log: Users: guest, Source IP: 10.50.36.33, Computer name: user-laptop, Connection type: HTTP/HTTPS, Accessed resources: ---, Action: Logout", "provider": "conn-log", @@ -327,7 +327,7 @@ } }, { - "@timestamp": "2023-10-30T20:24:30.000-05:00", + "@timestamp": "2024-10-30T20:24:30.000-05:00", "ecs": { "version": "8.11.0" }, @@ -336,7 +336,7 @@ "category": [ "file" ], - "created": "2023-10-30T20:24:30.000-05:00", + "created": "2024-10-30T20:24:30.000-05:00", "kind": "event", "original": "<30>Oct 30 20:24:30 qnap-nas01 qulogd[14629]: conn log: Users: admin.user, Source IP: 10.50.36.33, Computer name: ---, Connection type: HTTP/HTTPS, Accessed resources: [File Station] /Browser Station/admin, Action: Read", "provider": "conn-log", @@ -394,7 +394,7 @@ } }, { - "@timestamp": "2023-10-30T20:24:30.000-05:00", + "@timestamp": "2024-10-30T20:24:30.000-05:00", "ecs": { "version": "8.11.0" }, @@ -403,7 +403,7 @@ "category": [ "file" ], - "created": "2023-10-30T20:24:30.000-05:00", + "created": "2024-10-30T20:24:30.000-05:00", "kind": "event", "original": "<30>Oct 30 20:24:30 qnap-nas01 qulogd[14629]: conn log: Users: admin.user, Source IP: 10.50.36.33, Computer name: user-laptop, Connection type: Samba, Accessed resources: path/to/files/New folder -> path/to/files/asdf, Action: Rename", "provider": "conn-log", @@ -459,7 +459,7 @@ } }, { - "@timestamp": "2023-10-30T20:24:33.000-05:00", + "@timestamp": "2024-10-30T20:24:33.000-05:00", "ecs": { "version": "8.11.0" }, @@ -468,7 +468,7 @@ "category": [ "file" ], - "created": "2023-10-30T20:24:33.000-05:00", + "created": "2024-10-30T20:24:33.000-05:00", "kind": "event", "original": "<30>Oct 30 20:24:33 qnap-nas01 qulogd[14629]: conn log: Users: admin.user, Source IP: 10.50.36.33, Computer name: user-laptop, Connection type: Samba, Accessed resources: path/to/files/asdf, Action: Delete", "provider": "conn-log", @@ -529,7 +529,7 @@ } }, { - "@timestamp": "2023-10-30T20:43:19.000-05:00", + "@timestamp": "2024-10-30T20:43:19.000-05:00", "ecs": { "version": "8.11.0" }, @@ -538,7 +538,7 @@ "category": [ "file" ], - "created": "2023-10-30T20:43:19.000-05:00", + "created": "2024-10-30T20:43:19.000-05:00", "kind": "event", "original": "<30>Oct 30 20:43:19 qnap-nas01 qulogd[14629]: conn log: Users: admin.user, Source IP: 10.50.36.33, Computer name: user-laptop, Connection type: Samba, Accessed resources: path/to/files/picture.jpg, Action: Read", "provider": "conn-log", @@ -600,7 +600,7 @@ } }, { - "@timestamp": "2023-10-30T20:43:19.000-05:00", + "@timestamp": "2024-10-30T20:43:19.000-05:00", "ecs": { "version": "8.11.0" }, @@ -609,7 +609,7 @@ "category": [ "file" ], - "created": "2023-10-30T20:43:19.000-05:00", + "created": "2024-10-30T20:43:19.000-05:00", "kind": "event", "original": "<30>Oct 30 20:43:19 qnap-nas01 qulogd[14629]: conn log: Users: admin.user, Source IP: 10.50.36.33, Computer name: user-laptop, Connection type: Samba, Accessed resources: path/to/files/picture.jpg, Action: Add", "provider": "conn-log", diff --git a/packages/qnap_nas/data_stream/log/_dev/test/pipeline/test-event.log-expected.json b/packages/qnap_nas/data_stream/log/_dev/test/pipeline/test-event.log-expected.json index 11a66437480..0024fea35f6 100644 --- a/packages/qnap_nas/data_stream/log/_dev/test/pipeline/test-event.log-expected.json +++ b/packages/qnap_nas/data_stream/log/_dev/test/pipeline/test-event.log-expected.json @@ -1,7 +1,7 @@ { "expected": [ { - "@timestamp": "2023-10-30T20:28:41.000-05:00", + "@timestamp": "2024-10-30T20:28:41.000-05:00", "ecs": { "version": "8.11.0" }, @@ -9,7 +9,7 @@ "category": [ "configuration" ], - "created": "2023-10-30T20:28:41.000-05:00", + "created": "2024-10-30T20:28:41.000-05:00", "kind": "event", "original": "<28>Oct 30 20:28:41 qnap-nas01 qulogd[14629]: event log: Users: admin, Source IP: 127.0.0.1, Computer name: ---, Application: Network & Virtual Switch, Category: Infrastructure, Content: [Network & Virtual Switch] Interface \"Adapter 2\" disconnected.", "provider": "event-log", @@ -53,7 +53,7 @@ } }, { - "@timestamp": "2023-10-30T20:29:32.000-05:00", + "@timestamp": "2024-10-30T20:29:32.000-05:00", "ecs": { "version": "8.11.0" }, @@ -61,7 +61,7 @@ "category": [ "configuration" ], - "created": "2023-10-30T20:29:32.000-05:00", + "created": "2024-10-30T20:29:32.000-05:00", "kind": "event", "original": "<30>Oct 30 20:29:32 qnap-nas01 qulogd[14629]: event log: Users: admin, Source IP: 127.0.0.1, Computer name: ---, Application: Network & Virtual Switch, Category: Infrastructure, Content: [Network & Virtual Switch] Interface \"Adapter 2\" connected.", "provider": "event-log", @@ -105,7 +105,7 @@ } }, { - "@timestamp": "2023-10-30T20:29:32.000-05:00", + "@timestamp": "2024-10-30T20:29:32.000-05:00", "ecs": { "version": "8.11.0" }, @@ -113,7 +113,7 @@ "category": [ "configuration" ], - "created": "2023-10-30T20:29:32.000-05:00", + "created": "2024-10-30T20:29:32.000-05:00", "kind": "event", "original": "<30>Oct 30 20:29:32 qnap-nas01 qulogd[14629]: event log: Users: admin, Source IP: 127.0.0.1, Computer name: ---, Application: External Device, Category: UPS, Content: [External Device] UPS power restored. Canceled autoprotection mode..", "provider": "event-log", @@ -157,7 +157,7 @@ } }, { - "@timestamp": "2023-10-30T20:32:25.000-05:00", + "@timestamp": "2024-10-30T20:32:25.000-05:00", "ecs": { "version": "8.11.0" }, @@ -165,7 +165,7 @@ "category": [ "configuration" ], - "created": "2023-10-30T20:32:25.000-05:00", + "created": "2024-10-30T20:32:25.000-05:00", "kind": "event", "original": "<30>Oct 30 20:32:25 qnap-nas01 qulogd[14629]: event log: Users: admin.user, Source IP: 10.50.36.33, Computer name: ---, Application: Network & Virtual Switch, Category: Static Route, Content: [Network & Virtual Switch] Added static route. Interface: , Destination: 5.5.5.0.", "provider": "event-log", @@ -216,7 +216,7 @@ } }, { - "@timestamp": "2023-10-30T20:34:22.000-05:00", + "@timestamp": "2024-10-30T20:34:22.000-05:00", "ecs": { "version": "8.11.0" }, @@ -224,7 +224,7 @@ "category": [ "configuration" ], - "created": "2023-10-30T20:34:22.000-05:00", + "created": "2024-10-30T20:34:22.000-05:00", "kind": "event", "original": "<30>Oct 30 20:34:22 qnap-nas01 qulogd[14629]: event log: Users: admin.user, Source IP: 10.50.36.33, Computer name: ---, Application: Network & Virtual Switch, Category: Static Route, Content: [Network & Virtual Switch] Removed static route. Interface: , Destination: 5.5.5.0.", "provider": "event-log", @@ -275,7 +275,7 @@ } }, { - "@timestamp": "2023-11-21T15:23:42.000-05:00", + "@timestamp": "2024-11-21T15:23:42.000-05:00", "ecs": { "version": "8.11.0" }, @@ -284,7 +284,7 @@ "category": [ "file" ], - "created": "2023-11-21T15:23:42.000-05:00", + "created": "2024-11-21T15:23:42.000-05:00", "kind": "event", "original": "<30>Nov 21 15:23:42 qnap-nas01 qulogd[14387]: event log: Users: admin.user, Source IP: 10.50.36.33, Computer name: ---, Application: Shared Folders, Category: General, Content: [Shared Folders] Created shared folder \"abcd\".", "provider": "event-log", @@ -343,7 +343,7 @@ } }, { - "@timestamp": "2023-11-21T15:23:42.000-05:00", + "@timestamp": "2024-11-21T15:23:42.000-05:00", "ecs": { "version": "8.11.0" }, @@ -352,7 +352,7 @@ "category": [ "file" ], - "created": "2023-11-21T15:23:42.000-05:00", + "created": "2024-11-21T15:23:42.000-05:00", "kind": "event", "original": "<30>Nov 21 15:23:42 qnap-nas01 qulogd[14387]: event log: Users: admin.user, Source IP: 10.50.36.33, Computer name: ---, Application: Shared Folders, Category: General, Content: [Shared Folders] Deleted shared folder \"abcd\".", "provider": "event-log", @@ -411,7 +411,7 @@ } }, { - "@timestamp": "2023-11-21T15:23:42.000-05:00", + "@timestamp": "2024-11-21T15:23:42.000-05:00", "ecs": { "version": "8.11.0" }, @@ -420,7 +420,7 @@ "category": [ "iam" ], - "created": "2023-11-21T15:23:42.000-05:00", + "created": "2024-11-21T15:23:42.000-05:00", "kind": "event", "original": "<30>Nov 21 15:23:42 qnap-nas01 qulogd[14387]: event log: Users: admin.user, Source IP: 10.50.36.33, Computer name: ---, Application: User Groups, Category: General, Content: [User Groups] Deleted user group \"test1\".", "provider": "event-log", @@ -477,7 +477,7 @@ } }, { - "@timestamp": "2023-11-21T15:23:42.000-05:00", + "@timestamp": "2024-11-21T15:23:42.000-05:00", "ecs": { "version": "8.11.0" }, @@ -486,7 +486,7 @@ "category": [ "iam" ], - "created": "2023-11-21T15:23:42.000-05:00", + "created": "2024-11-21T15:23:42.000-05:00", "kind": "event", "original": "<30>Nov 21 15:23:42 qnap-nas01 qulogd[14387]: event log: Users: admin.user, Source IP: 10.50.36.33, Computer name: ---, Application: User Groups, Category: General, Content: [User Groups] Created user group \"test1\".", "provider": "event-log", @@ -543,7 +543,7 @@ } }, { - "@timestamp": "2023-11-21T15:23:42.000-05:00", + "@timestamp": "2024-11-21T15:23:42.000-05:00", "ecs": { "version": "8.11.0" }, @@ -552,7 +552,7 @@ "category": [ "iam" ], - "created": "2023-11-21T15:23:42.000-05:00", + "created": "2024-11-21T15:23:42.000-05:00", "kind": "event", "original": "<30>Nov 21 15:23:42 qnap-nas01 qulogd[14387]: event log: Users: admin.user, Source IP: 10.50.36.33, Computer name: ---, Application: Users, Category: General, Content: [Users] Changed the password of user \"test\".", "outcome": "success", @@ -610,7 +610,7 @@ } }, { - "@timestamp": "2023-11-21T15:23:42.000-05:00", + "@timestamp": "2024-11-21T15:23:42.000-05:00", "ecs": { "version": "8.11.0" }, @@ -619,7 +619,7 @@ "category": [ "iam" ], - "created": "2023-11-21T15:23:42.000-05:00", + "created": "2024-11-21T15:23:42.000-05:00", "kind": "event", "original": "<30>Nov 21 15:23:42 qnap-nas01 qulogd[14387]: event log: Users: admin.user, Source IP: 10.50.36.33, Computer name: ---, Application: Users, Category: General, Content: [Users] Edited the account profile of user \"test\".", "outcome": "success", @@ -677,7 +677,7 @@ } }, { - "@timestamp": "2023-11-21T15:23:42.000-05:00", + "@timestamp": "2024-11-21T15:23:42.000-05:00", "ecs": { "version": "8.11.0" }, @@ -686,7 +686,7 @@ "category": [ "iam" ], - "created": "2023-11-21T15:23:42.000-05:00", + "created": "2024-11-21T15:23:42.000-05:00", "kind": "event", "original": "<30>Nov 21 15:23:42 qnap-nas01 qulogd[14387]: event log: Users: admin.user, Source IP: 10.50.36.33, Computer name: ---, Application: Users, Category: General, Content: [Users] Created user \"test\".", "provider": "event-log", @@ -743,7 +743,7 @@ } }, { - "@timestamp": "2023-11-21T15:23:42.000-05:00", + "@timestamp": "2024-11-21T15:23:42.000-05:00", "ecs": { "version": "8.11.0" }, @@ -752,7 +752,7 @@ "category": [ "iam" ], - "created": "2023-11-21T15:23:42.000-05:00", + "created": "2024-11-21T15:23:42.000-05:00", "kind": "event", "original": "<30>Nov 21 15:23:42 qnap-nas01 qulogd[14387]: event log: Users: admin.user, Source IP: 10.50.36.33, Computer name: ---, Application: Users, Category: General, Content: [Users] Deleted user \"test\".", "provider": "event-log", diff --git a/packages/qnap_nas/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/qnap_nas/data_stream/log/elasticsearch/ingest_pipeline/default.yml index 393d5e3413b..e43d4c821c1 100644 --- a/packages/qnap_nas/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ b/packages/qnap_nas/data_stream/log/elasticsearch/ingest_pipeline/default.yml @@ -29,12 +29,12 @@ processors: LOG_TYPE: '(event log|conn log)' - set: field: event.timezone - value: "{{_tmp.tz_offset}}" + value: "{{{_tmp.tz_offset}}}" if: ctx._tmp?.tz_offset != null && ctx._tmp?.tz_offset != 'local' - date: field: _tmp.timestamp target_field: '@timestamp' - timezone: "{{ event.timezone }}" + timezone: "{{{ event.timezone }}}" formats: - MMM d HH:mm:ss - MMM dd HH:mm:ss @@ -244,17 +244,17 @@ processors: - append: if: ctx.source?.ip != null field: related.ip - value: '{{source.ip}}' + value: '{{{source.ip}}}' allow_duplicates: false - append: if: ctx.source?.domain != null field: related.hosts - value: '{{source.domain}}' + value: '{{{source.domain}}}' allow_duplicates: false - append: if: ctx.user?.name != null field: related.user - value: '{{user.name}}' + value: '{{{user.name}}}' allow_duplicates: false - remove: field: diff --git a/packages/qnap_nas/manifest.yml b/packages/qnap_nas/manifest.yml index ec31ddef81c..e762ca7c328 100644 --- a/packages/qnap_nas/manifest.yml +++ b/packages/qnap_nas/manifest.yml @@ -1,6 +1,6 @@ name: qnap_nas title: QNAP NAS -version: "1.20.0" +version: "1.20.1" description: Collect logs from QNAP NAS devices with Elastic Agent. type: integration format_version: "3.0.3" diff --git a/packages/radware/changelog.yml b/packages/radware/changelog.yml index 7a6da86e686..afc5bceb26c 100644 --- a/packages/radware/changelog.yml +++ b/packages/radware/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "0.19.1" + changes: + - description: Use triple-brace Mustache templating when referencing variables in ingest pipelines. + type: bugfix + link: https://github.com/elastic/integrations/pull/11286 - version: "0.19.0" changes: - description: Deprecate package. diff --git a/packages/radware/data_stream/defensepro/elasticsearch/ingest_pipeline/default.yml b/packages/radware/data_stream/defensepro/elasticsearch/ingest_pipeline/default.yml index 3b57b776b5e..324d44c62c9 100644 --- a/packages/radware/data_stream/defensepro/elasticsearch/ingest_pipeline/default.yml +++ b/packages/radware/data_stream/defensepro/elasticsearch/ingest_pipeline/default.yml @@ -54,7 +54,7 @@ processors: ignore_missing: true - append: field: related.hosts - value: '{{host.name}}' + value: '{{{host.name}}}' allow_duplicates: false if: ctx.host?.name != null && ctx.host?.name != '' - remove: diff --git a/packages/radware/manifest.yml b/packages/radware/manifest.yml index c26cbda4216..7a60cc3a466 100644 --- a/packages/radware/manifest.yml +++ b/packages/radware/manifest.yml @@ -1,7 +1,7 @@ format_version: 2.7.0 name: radware title: Radware DefensePro Logs (Deprecated) -version: "0.19.0" +version: "0.19.1" description: Deprecated. Radware DefensePro Logs is no longer supported. categories: ["security"] type: integration diff --git a/packages/snort/changelog.yml b/packages/snort/changelog.yml index 4ce0b70a5a2..14bef6f8111 100644 --- a/packages/snort/changelog.yml +++ b/packages/snort/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.15.1" + changes: + - description: Use triple-brace Mustache templating when referencing variables in ingest pipelines. + type: bugfix + link: https://github.com/elastic/integrations/pull/11286 - version: "1.15.0" changes: - description: Update package spec to 3.0.3. diff --git a/packages/snort/data_stream/log/_dev/test/pipeline/test-log-csv.log-expected.json b/packages/snort/data_stream/log/_dev/test/pipeline/test-log-csv.log-expected.json index 3746751bb1b..008cf7c21ae 100644 --- a/packages/snort/data_stream/log/_dev/test/pipeline/test-log-csv.log-expected.json +++ b/packages/snort/data_stream/log/_dev/test/pipeline/test-log-csv.log-expected.json @@ -1,7 +1,7 @@ { "expected": [ { - "@timestamp": "2023-09-04T21:45:37.536-05:00", + "@timestamp": "2024-09-04T21:45:37.536-05:00", "destination": { "address": "10.100.10.190", "ip": "10.100.10.190", @@ -75,7 +75,7 @@ ] }, { - "@timestamp": "2023-09-04T21:45:37.553-05:00", + "@timestamp": "2024-09-04T21:45:37.553-05:00", "destination": { "address": "10.100.10.190", "ip": "10.100.10.190", @@ -149,7 +149,7 @@ ] }, { - "@timestamp": "2023-09-04T21:50:40.017-05:00", + "@timestamp": "2024-09-04T21:50:40.017-05:00", "destination": { "address": "10.100.10.190", "ip": "10.100.10.190", @@ -220,7 +220,7 @@ ] }, { - "@timestamp": "2023-09-04T21:50:39.947-05:00", + "@timestamp": "2024-09-04T21:50:39.947-05:00", "destination": { "address": "10.100.10.190", "ip": "10.100.10.190", @@ -291,7 +291,7 @@ ] }, { - "@timestamp": "2023-09-04T21:50:40.666-05:00", + "@timestamp": "2024-09-04T21:50:40.666-05:00", "destination": { "address": "10.100.10.255", "ip": "10.100.10.255", @@ -362,7 +362,7 @@ ] }, { - "@timestamp": "2023-09-04T21:49:55.900-05:00", + "@timestamp": "2024-09-04T21:49:55.900-05:00", "destination": { "address": "175.16.199.1", "geo": { @@ -449,7 +449,7 @@ ] }, { - "@timestamp": "2023-09-04T21:49:55.911-05:00", + "@timestamp": "2024-09-04T21:49:55.911-05:00", "destination": { "address": "10.100.10.190", "ip": "10.100.10.190", @@ -536,7 +536,7 @@ ] }, { - "@timestamp": "2023-09-04T21:49:56.900-05:00", + "@timestamp": "2024-09-04T21:49:56.900-05:00", "destination": { "address": "175.16.199.1", "geo": { diff --git a/packages/snort/data_stream/log/_dev/test/pipeline/test-log-fast.log-expected.json b/packages/snort/data_stream/log/_dev/test/pipeline/test-log-fast.log-expected.json index a7f45a88909..3e6073d929c 100644 --- a/packages/snort/data_stream/log/_dev/test/pipeline/test-log-fast.log-expected.json +++ b/packages/snort/data_stream/log/_dev/test/pipeline/test-log-fast.log-expected.json @@ -1,7 +1,7 @@ { "expected": [ { - "@timestamp": "2023-05-30T19:09:10.917-05:00", + "@timestamp": "2024-05-30T19:09:10.917-05:00", "destination": { "address": "255.255.255.255", "ip": "255.255.255.255", @@ -57,7 +57,7 @@ ] }, { - "@timestamp": "2023-05-30T19:09:28.472-05:00", + "@timestamp": "2024-05-30T19:09:28.472-05:00", "destination": { "address": "175.16.199.1", "geo": { @@ -125,7 +125,7 @@ ] }, { - "@timestamp": "2023-05-30T19:09:10.917-05:00", + "@timestamp": "2024-05-30T19:09:10.917-05:00", "destination": { "address": "175.16.199.1", "geo": { @@ -201,7 +201,7 @@ ] }, { - "@timestamp": "2023-12-30T14:09:21.116-06:00", + "@timestamp": "2024-12-30T14:09:21.116-06:00", "destination": { "address": "175.16.199.1", "geo": { @@ -269,7 +269,7 @@ ] }, { - "@timestamp": "2023-01-21T02:23:42.327-06:00", + "@timestamp": "2024-01-21T02:23:42.327-06:00", "destination": { "address": "192.168.115.10", "ip": "192.168.115.10", @@ -337,7 +337,7 @@ ] }, { - "@timestamp": "2023-01-21T02:23:42.208-06:00", + "@timestamp": "2024-01-21T02:23:42.208-06:00", "destination": { "address": "192.168.115.10", "ip": "192.168.115.10" @@ -403,7 +403,7 @@ ] }, { - "@timestamp": "2023-09-04T21:55:02.041-05:00", + "@timestamp": "2024-09-04T21:55:02.041-05:00", "destination": { "address": "10.100.10.190", "ip": "10.100.10.190", @@ -471,7 +471,7 @@ ] }, { - "@timestamp": "2023-09-04T21:55:02.118-05:00", + "@timestamp": "2024-09-04T21:55:02.118-05:00", "destination": { "address": "10.100.10.190", "ip": "10.100.10.190", @@ -539,7 +539,7 @@ ] }, { - "@timestamp": "2023-09-04T21:54:43.216-05:00", + "@timestamp": "2024-09-04T21:54:43.216-05:00", "destination": { "address": "175.16.199.1", "geo": { @@ -605,7 +605,7 @@ ] }, { - "@timestamp": "2023-09-04T21:54:43.227-05:00", + "@timestamp": "2024-09-04T21:54:43.227-05:00", "destination": { "address": "10.100.10.190", "ip": "10.100.10.190" diff --git a/packages/snort/data_stream/log/_dev/test/pipeline/test-log-full.log-expected.json b/packages/snort/data_stream/log/_dev/test/pipeline/test-log-full.log-expected.json index 6348d1470f1..e75f8da3fd8 100644 --- a/packages/snort/data_stream/log/_dev/test/pipeline/test-log-full.log-expected.json +++ b/packages/snort/data_stream/log/_dev/test/pipeline/test-log-full.log-expected.json @@ -1,7 +1,7 @@ { "expected": [ { - "@timestamp": "2023-09-04T21:42:42.860-05:00", + "@timestamp": "2024-09-04T21:42:42.860-05:00", "destination": { "address": "10.100.10.190", "ip": "10.100.10.190", @@ -73,7 +73,7 @@ ] }, { - "@timestamp": "2023-09-04T21:42:42.903-05:00", + "@timestamp": "2024-09-04T21:42:42.903-05:00", "destination": { "address": "10.100.10.190", "ip": "10.100.10.190", @@ -145,7 +145,7 @@ ] }, { - "@timestamp": "2023-09-04T21:53:15.299-05:00", + "@timestamp": "2024-09-04T21:53:15.299-05:00", "destination": { "address": "10.100.10.190", "ip": "10.100.10.190", @@ -213,7 +213,7 @@ ] }, { - "@timestamp": "2023-09-04T21:53:15.299-05:00", + "@timestamp": "2024-09-04T21:53:15.299-05:00", "destination": { "address": "175.16.199.1", "geo": { @@ -295,7 +295,7 @@ ] }, { - "@timestamp": "2023-09-04T21:53:15.301-05:00", + "@timestamp": "2024-09-04T21:53:15.301-05:00", "destination": { "address": "10.100.10.190", "ip": "10.100.10.190", @@ -368,7 +368,7 @@ ] }, { - "@timestamp": "2023-09-04T21:53:15.309-05:00", + "@timestamp": "2024-09-04T21:53:15.309-05:00", "destination": { "address": "10.100.10.190", "ip": "10.100.10.190" @@ -449,7 +449,7 @@ ] }, { - "@timestamp": "2023-09-04T21:53:15.358-05:00", + "@timestamp": "2024-09-04T21:53:15.358-05:00", "destination": { "address": "10.100.10.190", "ip": "10.100.10.190", diff --git a/packages/snort/data_stream/log/_dev/test/pipeline/test-log-json.log-expected.json b/packages/snort/data_stream/log/_dev/test/pipeline/test-log-json.log-expected.json index a09003d1ec9..add703c6c1c 100644 --- a/packages/snort/data_stream/log/_dev/test/pipeline/test-log-json.log-expected.json +++ b/packages/snort/data_stream/log/_dev/test/pipeline/test-log-json.log-expected.json @@ -1,7 +1,7 @@ { "expected": [ { - "@timestamp": "2023-12-16T20:33:33.603-06:00", + "@timestamp": "2024-12-16T20:33:33.603-06:00", "destination": { "address": "10.10.10.1", "ip": "10.10.10.1", @@ -81,7 +81,7 @@ ] }, { - "@timestamp": "2023-11-21T18:01:50.061-06:00", + "@timestamp": "2024-11-21T18:01:50.061-06:00", "destination": { "address": "10.11.21.11", "ip": "10.11.21.11", @@ -148,7 +148,7 @@ ] }, { - "@timestamp": "2023-01-17T03:03:23.476-06:00", + "@timestamp": "2024-01-17T03:03:23.476-06:00", "destination": { "address": "192.168.3.35", "ip": "192.168.3.35", @@ -250,7 +250,7 @@ ] }, { - "@timestamp": "2023-04-01T09:02:23.126-05:00", + "@timestamp": "2024-04-01T09:02:23.126-05:00", "destination": { "address": "255.255.255.255", "ip": "255.255.255.255", @@ -329,7 +329,7 @@ ] }, { - "@timestamp": "2023-03-16T15:11:22.800-05:00", + "@timestamp": "2024-03-16T15:11:22.800-05:00", "destination": { "address": "192.168.27.27", "ip": "192.168.27.27", diff --git a/packages/snort/data_stream/log/_dev/test/pipeline/test-log-syslog.log-expected.json b/packages/snort/data_stream/log/_dev/test/pipeline/test-log-syslog.log-expected.json index fbdfbdbde60..9423c73918a 100644 --- a/packages/snort/data_stream/log/_dev/test/pipeline/test-log-syslog.log-expected.json +++ b/packages/snort/data_stream/log/_dev/test/pipeline/test-log-syslog.log-expected.json @@ -1,7 +1,7 @@ { "expected": [ { - "@timestamp": "2023-09-05T16:05:26.000-05:00", + "@timestamp": "2024-09-05T16:05:26.000-05:00", "destination": { "address": "10.25.10.22", "ip": "10.25.10.22", @@ -61,7 +61,7 @@ ] }, { - "@timestamp": "2023-09-05T16:05:26.000-05:00", + "@timestamp": "2024-09-05T16:05:26.000-05:00", "destination": { "address": "10.50.10.190", "ip": "10.50.10.190", @@ -120,7 +120,7 @@ ] }, { - "@timestamp": "2023-09-05T16:02:55.000-05:00", + "@timestamp": "2024-09-05T16:02:55.000-05:00", "destination": { "address": "175.16.199.1", "geo": { diff --git a/packages/snort/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/snort/data_stream/log/elasticsearch/ingest_pipeline/default.yml index c606267eb2e..24c633ef2c3 100644 --- a/packages/snort/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ b/packages/snort/data_stream/log/elasticsearch/ingest_pipeline/default.yml @@ -35,12 +35,12 @@ processors: name: '{{ IngestPipeline "json" }}' - set: field: event.timezone - value: "{{_tmp.tz_offset}}" + value: "{{{_tmp.tz_offset}}}" if: ctx._tmp?.tz_offset != null && ctx._tmp?.tz_offset != 'local' - date: field: _tmp.timestamp target_field: '@timestamp' - timezone: "{{ event.timezone }}" + timezone: "{{{ event.timezone }}}" formats: - MM/dd-HH:mm:ss.SSSSSS - MM/dd/YY-HH:mm:ss.SSSSSS @@ -180,12 +180,12 @@ processors: - append: if: ctx.source?.ip != null field: related.ip - value: '{{source.ip}}' + value: '{{{source.ip}}}' allow_duplicates: false - append: if: ctx.destination?.ip != null field: related.ip - value: '{{destination.ip}}' + value: '{{{destination.ip}}}' allow_duplicates: false - remove: field: diff --git a/packages/snort/manifest.yml b/packages/snort/manifest.yml index c37f5029a8e..52ce4bd1b28 100644 --- a/packages/snort/manifest.yml +++ b/packages/snort/manifest.yml @@ -1,6 +1,6 @@ name: snort title: Snort -version: "1.15.0" +version: "1.15.1" description: Collect logs from Snort with Elastic Agent. type: integration icons: diff --git a/packages/sophos/changelog.yml b/packages/sophos/changelog.yml index 8210b44a59f..7017f42abd9 100644 --- a/packages/sophos/changelog.yml +++ b/packages/sophos/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "3.9.1" + changes: + - description: Use triple-brace Mustache templating when referencing variables in ingest pipelines. + type: bugfix + link: https://github.com/elastic/integrations/pull/11286 - version: "3.9.0" changes: - description: Update package-spec to 3.0.3. diff --git a/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/antispam.yml b/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/antispam.yml index 357bab35271..5abd7763eb2 100644 --- a/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/antispam.yml +++ b/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/antispam.yml @@ -9,7 +9,7 @@ processors: value: event - set: field: event.action - value: "{{sophos.xg.log_subtype}}" + value: "{{{sophos.xg.log_subtype}}}" ignore_empty_value: true - set: field: event.outcome diff --git a/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/antivirus.yml b/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/antivirus.yml index ea6e3c1406a..0e3011af7e3 100644 --- a/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/antivirus.yml +++ b/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/antivirus.yml @@ -9,7 +9,7 @@ processors: value: alert - set: field: event.action - value: "{{sophos.xg.log_subtype}}" + value: "{{{sophos.xg.log_subtype}}}" if: "ctx.sophos?.xg?.log_subtype != null" - set: field: event.outcome diff --git a/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/atp.yml b/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/atp.yml index 186e5b00a8c..5dcc03f9e1f 100644 --- a/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/atp.yml +++ b/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/atp.yml @@ -9,7 +9,7 @@ processors: value: alert - set: field: event.action - value: "{{sophos.xg.log_subtype}}" + value: "{{{sophos.xg.log_subtype}}}" if: "ctx.sophos?.xg?.log_subtype != null" - set: field: event.outcome diff --git a/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/cfilter.yml b/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/cfilter.yml index c02458a2b2e..0b5e8f36d58 100644 --- a/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/cfilter.yml +++ b/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/cfilter.yml @@ -9,7 +9,7 @@ processors: value: event - set: field: event.action - value: "{{sophos.xg.log_subtype}}" + value: "{{{sophos.xg.log_subtype}}}" if: "ctx.sophos?.xg?.log_subtype != null" - set: field: event.outcome diff --git a/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/default.yml b/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/default.yml index b9219053a6e..a252eb59ddc 100644 --- a/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/default.yml +++ b/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/default.yml @@ -468,7 +468,7 @@ processors: field: sophos.xg.eventtime - date: if: ctx.sophos?.xg?.eventtime != null && ctx.event?.timezone != null - timezone: "{{ event.timezone }}" + timezone: "{{{ event.timezone }}}" field: sophos.xg.eventtime target_field: sophos.xg.eventtime formats: diff --git a/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/event.yml b/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/event.yml index 62083620122..f6927406a8c 100644 --- a/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/event.yml +++ b/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/event.yml @@ -88,11 +88,11 @@ processors: if: "ctx.sophos?.xg?.user_name != null" - set: field: source.user.name - value: '{{sophos.xg.name}}' + value: '{{{sophos.xg.name}}}' if: "ctx.sophos?.xg?.name != null" - set: field: user.name - value: '{{source.user.name}}' + value: '{{{source.user.name}}}' ignore_empty_value: true if: 'ctx.sophos?.xg?.log_subtype == "Authentication"' - rename: diff --git a/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/firewall.yml b/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/firewall.yml index 5483a38f6c0..ead0755dd61 100644 --- a/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/firewall.yml +++ b/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/firewall.yml @@ -9,7 +9,7 @@ processors: value: event - set: field: event.action - value: "{{sophos.xg.log_subtype}}" + value: "{{{sophos.xg.log_subtype}}}" if: "ctx.sophos?.xg?.log_subtype != null" - set: field: event.outcome diff --git a/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/idp.yml b/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/idp.yml index 50e17aeb5ce..e23b9626c62 100644 --- a/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/idp.yml +++ b/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/idp.yml @@ -9,7 +9,7 @@ processors: value: alert - set: field: event.action - value: "{{sophos.xg.log_subtype}}" + value: "{{{sophos.xg.log_subtype}}}" if: "ctx.sophos?.xg?.log_subtype != null" - set: field: event.outcome diff --git a/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/sandstorm.yml b/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/sandstorm.yml index 54145c50e46..6d984fabbbb 100644 --- a/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/sandstorm.yml +++ b/packages/sophos/data_stream/xg/elasticsearch/ingest_pipeline/sandstorm.yml @@ -9,7 +9,7 @@ processors: value: event - set: field: event.action - value: "{{sophos.xg.log_subtype}}" + value: "{{{sophos.xg.log_subtype}}}" if: "ctx.sophos?.xg?.log_subtype != null" - set: field: event.outcome diff --git a/packages/sophos/manifest.yml b/packages/sophos/manifest.yml index 2e8c1396420..f0918175f5d 100644 --- a/packages/sophos/manifest.yml +++ b/packages/sophos/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.3" name: sophos title: Sophos -version: "3.9.0" +version: "3.9.1" description: Collect logs from Sophos with Elastic Agent. categories: - "security" diff --git a/packages/suricata/changelog.yml b/packages/suricata/changelog.yml index 05072f82889..99837f427ed 100644 --- a/packages/suricata/changelog.yml +++ b/packages/suricata/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.21.3" + changes: + - description: Use triple-brace Mustache templating when referencing variables in ingest pipelines. + type: bugfix + link: https://github.com/elastic/integrations/pull/11286 - version: "2.21.2" changes: - description: Handle unset TLS data fields diff --git a/packages/suricata/data_stream/eve/elasticsearch/ingest_pipeline/default.yml b/packages/suricata/data_stream/eve/elasticsearch/ingest_pipeline/default.yml index 3e67a0fafd4..9259cff2092 100644 --- a/packages/suricata/data_stream/eve/elasticsearch/ingest_pipeline/default.yml +++ b/packages/suricata/data_stream/eve/elasticsearch/ingest_pipeline/default.yml @@ -652,11 +652,11 @@ processors: allow_duplicates: false - append: field: related.hash - value: "{{tls.server.ja3s}}" + value: "{{{tls.server.ja3s}}}" if: "ctx?.tls?.server?.ja3s != null" - append: field: related.hash - value: "{{tls.client.ja3}}" + value: "{{{tls.client.ja3}}}" if: "ctx?.tls?.client?.ja3 != null" allow_duplicates: false - remove: diff --git a/packages/suricata/data_stream/eve/elasticsearch/ingest_pipeline/tls.yml b/packages/suricata/data_stream/eve/elasticsearch/ingest_pipeline/tls.yml index 5a19f1e53d2..cabacf09feb 100644 --- a/packages/suricata/data_stream/eve/elasticsearch/ingest_pipeline/tls.yml +++ b/packages/suricata/data_stream/eve/elasticsearch/ingest_pipeline/tls.yml @@ -167,7 +167,7 @@ processors: ignore_failure: true - append: field: related.hash - value: "{{tls.server.hash.sha1}}" + value: "{{{tls.server.hash.sha1}}}" if: "ctx?.tls?.server?.hash?.sha1 != null" - set: field: tls.client.server_name diff --git a/packages/suricata/manifest.yml b/packages/suricata/manifest.yml index 4ee78207a6f..5d5577eed3f 100644 --- a/packages/suricata/manifest.yml +++ b/packages/suricata/manifest.yml @@ -1,6 +1,6 @@ name: suricata title: Suricata -version: "2.21.2" +version: "2.21.3" description: Collect logs from Suricata with Elastic Agent. type: integration icons: