Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add filebeat module autotest to check related.user field if user.name present #32663

Open
leweafan opened this issue Aug 11, 2022 · 6 comments
Open

Add filebeat module autotest to check related.user field if user.name present #32663

leweafan opened this issue Aug 11, 2022 · 6 comments
Labels
needs_team Indicates that the issue/PR needs a Team:* label

Comments

@leweafan
Copy link
Contributor

leweafan commented Aug 11, 2022
edited
Loading

Describe the enhancement:

Add filebeat module autotest to check related.user field if user.name present
Sometimes field user.name present and related.user missing.

Describe a specific use case for the enhancement or feature:

Example RabbitMQ module. Check test.log-expected.json - user.name field present and related.user missing.
@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Aug 11, 2022
@leweafan leweafan changed the title Add module autotest to check related.user field if user.name present Add filebeat module autotest to check related.user field if user.name present Aug 11, 2022
@leweafan leweafan mentioned this issue Aug 11, 2022
Closed
@jsoriano
Copy link
Member

Hi @leweafan,

I am not sure if this field should be required in all modules. They probably need additional logic to find proper values, and maybe it doesn't make always sense to have it.

In the example of RabbitMQ, what values would you expect for related.user?

@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Aug 25, 2022
@elasticmachine
Copy link
Collaborator

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

@leweafan
Copy link
Contributor Author

leweafan commented Aug 25, 2022
edited
Loading

Hi @jsoriano!
If we have *.ip field then there should exist related.ip field and if there is user.name field then related.user must exist. It's obvious from field description:

All the user names or other user identifiers seen on the event

In RabbitMQ case related.user = user.name

@jsoriano
Copy link
Member

jsoriano commented Aug 25, 2022
edited
Loading

I see, you are right 👍 let's keep this open.

This was referenced Feb 21, 2023
Closed
Open
@botelastic
Copy link

botelastic bot commented Aug 25, 2023

Hi!
We just realized that we haven't looked into this issue in a while. We're sorry!

We're labeling this issue as Stale to make it hit our filters and make sure we get back to it as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1.
Thank you for your contribution!

@botelastic botelastic bot added the Stalled label Aug 25, 2023
@botelastic botelastic bot added needs_team Indicates that the issue/PR needs a Team:* label and removed Stalled labels Feb 2, 2024
@botelastic
Copy link

botelastic bot commented Feb 2, 2024

This issue doesn't have a Team:<team> label.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
needs_team Indicates that the issue/PR needs a Team:* label
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jsoriano @narph @leweafan @elasticmachine