[cisco_ise] Fix multiple pipeline processing issues (#11619)

* Fix multiple pipeline processing issues
elastic · Nov 13, 2024 · c55e51d · c55e51d
1 parent a1a91fe
commit c55e51d
Show file tree

Hide file tree

Showing 31 changed files with 890 additions and 53 deletions.
diff --git a/packages/cisco_ise/changelog.yml b/packages/cisco_ise/changelog.yml
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.24.1"
+  changes:
+    - description: Fix multiple pipeline processing issues.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/11619
 - version: "1.24.0"
   changes:
     - description: Improve ECS mappings by setting client.mac and event.outcome.

diff --git a/...cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-ad-connector.log-expected.json b/...cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-ad-connector.log-expected.json
@@ -854,4 +854,4 @@
             ]
         }
     ]
-}
+}
diff --git a/...data_stream/log/_dev/test/pipeline/test-pipeline-administrative-and-operational-audit.log b/...data_stream/log/_dev/test/pipeline/test-pipeline-administrative-and-operational-audit.log
@@ -33,3 +33,4 @@
 <181>Mar 14 09:43:33 isehost CISE_Administrative_and_Operational_Audit 0000000312 1 0 2022-03-14 09:43:33.233 +00:00 0000000402 52001 NOTICE Configuration-Changes: Changed configuration, ConfigVersionId=55, FailureFlag=false, RequestResponseType=initial, AdminInterface=GUI, AdminIPAddress=10.0.9.204, AdminName=admin, ConfigChangeData=object updated: Name=testad1, ObjectType=Active Directory Instance, ObjectName=testad1, Component=UNKNOWN, ObjectInternalID=unknown,
 <149>Mar 20 12:13:30 isehost CISE_Administrative_and_Operational_Audit 0000002725 1 0 2022-03-20 12:13:30.185 +00:00 0000003033 52001 NOTICE Configuration-Changes: Changed configuration, ConfigVersionId=546, FailureFlag=false, RequestResponseType=initial, AdminInterface=GUI, AdminIPAddress=10.0.9.204, AdminName=internal-sys-user, ConfigChangeData=Local Storage Period = 1 days, ObjectType=UPSLogSettings, ObjectName=LocalStore,
 <181>Mar 29 05:53:36 isehost CISE_Administrative_and_Operational_Audit 0000000931 1 0 2022-03-29 05:53:36.769 +00:00 0000001104 52002 NOTICE Configuration-Changes: Deleted configuration, ConfigVersionId=258, AdminInterface=GUI, AdminIPAddress=81.2.69.144, AdminName=admin, ObjectType=Active Directory Instance, ObjectName=test123test123test123test123test, Component=Network Access, ObjectInternalID=unknown,
+Oct 15 20:00:06 isehost CISE_Administrative_and_Operational_Audit 0000020943 1 0 2024-10-15 20:00:06.564 +00:00 0000047438 52001 NOTICE Configuration-Changes: Changed configuration, ConfigVersionId=522, FailureFlag=false, RequestResponseType=initial, AdminInterface=GUI, AdminIPAddress=81.2.69.143, AdminSession=ProfilerSession, AdminName=internal-feed-user, ConfigChangeData=CONRAD CORP., ObjectType=OUI, ObjectName=00:01:C8,
diff --git a/...g/_dev/test/pipeline/test-pipeline-administrative-and-operational-audit.log-expected.json b/...g/_dev/test/pipeline/test-pipeline-administrative-and-operational-audit.log-expected.json
@@ -2831,6 +2831,96 @@
             "tags": [
                 "preserve_original_event"
             ]
+        },
+        {
+            "@timestamp": "2024-10-15T20:00:06.564Z",
+            "cisco_ise": {
+                "log": {
+                    "admin": {
+                        "interface": "GUI",
+                        "session": "ProfilerSession"
+                    },
+                    "category": {
+                        "name": "CISE_Administrative_and_Operational_Audit"
+                    },
+                    "config_change": {
+                        "data": "CONRAD CORP."
+                    },
+                    "config_version": {
+                        "id": 522
+                    },
+                    "failure": {
+                        "flag": false
+                    },
+                    "message": {
+                        "code": "52001",
+                        "description": "Configuration-Changes: Changed configuration",
+                        "id": "0000020943"
+                    },
+                    "object": {
+                        "name": "00:01:C8",
+                        "type": "OUI"
+                    },
+                    "request_response": {
+                        "type": "initial"
+                    },
+                    "segment": {
+                        "number": 0,
+                        "total": 1
+                    }
+                }
+            },
+            "client": {
+                "ip": "81.2.69.143",
+                "user": {
+                    "name": "internal-feed-user"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "action": "configuration-changes",
+                "category": [
+                    "iam",
+                    "configuration"
+                ],
+                "code": "52001",
+                "kind": "event",
+                "original": "Oct 15 20:00:06 isehost CISE_Administrative_and_Operational_Audit 0000020943 1 0 2024-10-15 20:00:06.564 +00:00 0000047438 52001 NOTICE Configuration-Changes: Changed configuration, ConfigVersionId=522, FailureFlag=false, RequestResponseType=initial, AdminInterface=GUI, AdminIPAddress=81.2.69.143, AdminSession=ProfilerSession, AdminName=internal-feed-user, ConfigChangeData=CONRAD CORP., ObjectType=OUI, ObjectName=00:01:C8,",
+                "sequence": 47438,
+                "timezone": "+00:00",
+                "type": [
+                    "change",
+                    "info"
+                ]
+            },
+            "host": {
+                "hostname": "isehost"
+            },
+            "log": {
+                "level": "notice",
+                "syslog": {
+                    "severity": {
+                        "name": "notice"
+                    }
+                }
+            },
+            "message": "2024-10-15 20:00:06.564 +00:00 0000047438 52001 NOTICE Configuration-Changes: Changed configuration, ConfigVersionId=522, FailureFlag=false, RequestResponseType=initial, AdminInterface=GUI, AdminIPAddress=81.2.69.143, AdminSession=ProfilerSession, AdminName=internal-feed-user, ConfigChangeData=CONRAD CORP., ObjectType=OUI, ObjectName=00:01:C8,",
+            "related": {
+                "hosts": [
+                    "isehost"
+                ],
+                "ip": [
+                    "81.2.69.143"
+                ],
+                "user": [
+                    "internal-feed-user"
+                ]
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
         }
     ]
-}
+}
diff --git a/...am/log/_dev/test/pipeline/test-pipeline-authentication-flow-diagnostics.log-expected.json b/...am/log/_dev/test/pipeline/test-pipeline-authentication-flow-diagnostics.log-expected.json
@@ -1027,4 +1027,4 @@
             ]
         }
     ]
-}
+}
diff --git a/...s/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-cise-alarm.log-expected.json b/...s/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-cise-alarm.log-expected.json
@@ -1044,4 +1044,4 @@
             ]
         }
     ]
-}
+}
diff --git a/...co_ise/data_stream/log/_dev/test/pipeline/test-pipeline-failed-attempts.log-expected.json b/...co_ise/data_stream/log/_dev/test/pipeline/test-pipeline-failed-attempts.log-expected.json
@@ -1238,4 +1238,4 @@
             }
         }
     ]
-}
+}
diff --git a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-guest.log-expected.json b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-guest.log-expected.json
@@ -351,4 +351,4 @@
             ]
         }
     ]
-}
+}
diff --git a/...stream/log/_dev/test/pipeline/test-pipeline-identity-stores-diagnostics.log-expected.json b/...stream/log/_dev/test/pipeline/test-pipeline-identity-stores-diagnostics.log-expected.json
@@ -1366,4 +1366,4 @@
             ]
         }
     ]
-}
+}
diff --git a/...am/log/_dev/test/pipeline/test-pipeline-internal-operations-diagnostics.log-expected.json b/...am/log/_dev/test/pipeline/test-pipeline-internal-operations-diagnostics.log-expected.json
@@ -372,4 +372,4 @@
             ]
         }
     ]
-}
+}
diff --git a/...isco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-monitoring-data-purge-audit.log b/...isco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-monitoring-data-purge-audit.log
@@ -0,0 +1 @@
+Oct 16 05:56:08 isehost CISE_MONITORING_DATA_PURGE_AUDIT 2024-10-16 05:00:02.595 +0000 60198 INFO null: MnT purge event occurred, MESSAGE=Total Data threshold_space = 552 GB, used_space = 121.87725830078125 GB,
diff --git a/...stream/log/_dev/test/pipeline/test-pipeline-monitoring-data-purge-audit.log-expected.json b/...stream/log/_dev/test/pipeline/test-pipeline-monitoring-data-purge-audit.log-expected.json
@@ -0,0 +1,49 @@
+{
+    "expected": [
+        {
+            "@timestamp": "2024-10-16T05:00:02.595Z",
+            "cisco_ise": {
+                "log": {
+                    "category": {
+                        "name": "CISE_MONITORING_DATA_PURGE_AUDIT"
+                    },
+                    "log_details": {
+                        "MESSAGE": "Total Data threshold_space = 552 GB, used_space = 121.87725830078125 GB"
+                    },
+                    "message": {
+                        "description": "null: MnT purge event occurred"
+                    }
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "action": "null",
+                "kind": "event",
+                "original": "Oct 16 05:56:08 isehost CISE_MONITORING_DATA_PURGE_AUDIT 2024-10-16 05:00:02.595 +0000 60198 INFO null: MnT purge event occurred, MESSAGE=Total Data threshold_space = 552 GB, used_space = 121.87725830078125 GB,",
+                "sequence": 60198
+            },
+            "host": {
+                "hostname": "isehost"
+            },
+            "log": {
+                "level": "info",
+                "syslog": {
+                    "severity": {
+                        "name": "info"
+                    }
+                }
+            },
+            "message": "2024-10-16 05:00:02.595 +0000 60198 INFO null: MnT purge event occurred, MESSAGE=Total Data threshold_space = 552 GB, used_space = 121.87725830078125 GB,",
+            "related": {
+                "hosts": [
+                    "isehost"
+                ]
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        }
+    ]
+}
diff --git a/...s/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-my-devices.log-expected.json b/...s/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-my-devices.log-expected.json
@@ -691,4 +691,4 @@
             ]
         }
     ]
-}
+}