[system + winlog] Fix mapping for time_created to date

[nicpenning]

• Bug

What does this PR do?

This sets the winlog.time_created field (currently keyword) to a date type. Even though that I have no data that has this field any longer (in Winlogbeat or Elastic Agent System or Custom Windows event log integrations), I see that it exists in the sample json files provided in the pipelines directory for testing, so instead of removing it, I am updating to a date as it should be.

Checklist

• I have reviewed tips for building integrations and this pull request is aligned with them.
• I have verified that all data streams collect metrics or logs.
• I have added an entry to my package's changelog.yml file.
• I have verified that Kibana version constraints are current according to guidelines.

[elasticmachine]

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Start Time: 2023-02-23T01:49:52.859+0000

• Duration: 15 min 25 sec

Test stats 🧪

Test	Results
Failed	0
Passed	196
Skipped	0
Total	196

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

• /test : Re-trigger the build.

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[efd6]

I'm not sure we can do this safely; in system, if the date processor fails we have a field that may fail ingest and in winlog there is no pipeline, so we have no control of the format of the value in the field and so again risk an ingest failure. The system case could be made more safe, but winlog has no processor by design.

Also, what are the implications for existing installations with a mapping change?

[nicpenning]

Today, it seems that this field doesn't exist anyways. In the System System, and Application mappings, this field does not exist so they are not in conflict with the properly mapped Winlogbeat mappings.

Do you have any modern examples with the Elastic Agent and of the System or Custom Windows logs that this field exists?

None the less, the other option is to remove this field mapping entirely.

Right now it is inconsistent between the System Integrations, Windows and Custom Windows integrations.

What would you recommend?

[efd6]

Thanks, the mapping in winlogbeat supports this change.

I think I'd suggest leaving the winlog integration as you have it; the responsibility I guess lies on the user to provide an appropriate pipeline to handle the data stream. For the system/security it could be made safe by adding an on_failure option to the date processor (and modifying the pipeline on_failure option).

Something like

  - date:
      tag: "time_created_date"
      field: winlog.time_created
      formats:
        - ISO8601
      if: ctx.winlog?.time_created != null
      on_failure:
        - remove:
            field: winlog.time_created
            ignore_failure: true
        - append:
            field: error.message
            value: "fail-{{{ _ingest.on_failure_processor_tag }}}"
        - fail:
            message: "Processor {{ _ingest.on_failure_processor_type }} with tag {{ _ingest.on_failure_processor_tag }} in pipeline {{ _ingest.on_failure_pipeline }} failed with message: {{ _ingest.on_failure_message }}"
on_failure:
  - set:
      field: event.kind
      value: pipeline_error
  - append:
      field: error.message
      value: "{{ _ingest.on_failure_message }}"

Could also consider a rename instead of a remove in the case of a failure.

[nicpenning]

I like the fail safe in the pipeline. I am good with adding that.

I am wondering if the sample document came from Splunk or a third party ingestion tool because of the 10k winlogbeat endpoints and many event channels, time_created doesn't appear to exist. We only have about 30 Elastic agents with the reapective integrations but no matches yet. I see the sample doc was from 2019 so there could have been a change in the last 3-4 years for this source.

[nicpenning]

I went ahead and adapted your feedback for adjusting the pipeline.

[efd6]

/test

[efd6]

We do need the tag here.

[nicpenning]

Okay, I will add it in.

[nicpenning]

Added

[elasticmachine]

🌐 Coverage report

Name	Metrics % (covered/total)	Diff
Packages	100.0% (3/3)	💚
Files	100.0% (4/4)	💚
Classes	100.0% (4/4)	💚
Methods	60.976% (50/82)	👍 35.976
Lines	99.535% (2780/2793)	👎 -0.465
Conditionals	100.0% (0/0)	💚

[nicpenning]

Corrected, please test.

[nicpenning]

/test

[efd6]

I just noticed this. Please make this an append, otherwise the fail tag will be lost. Also set the event.kind as shown above.

[efd6]

I'd prefer that these were set in the global on_failure. This way if we add others in the future, they are already handled.

[nicpenning]

How is that?

[efd6]

I'd prefer that these were set in the global on_failure. This way if we add others in the future, they are already handled.

[efd6]

Please revert eab6083.

[nicpenning]

I couldn't find a way to revert here on github.com so I applied changes to align to what it was before this commit.

[efd6]

The global on_failure should be

on_failure:
  - set:
      field: event.kind
      value: pipeline_error
  - append:
      field: error.message
      value: "{{ _ingest.on_failure_message }}"

This way local formatting of the failure message is preserved in conjunction with any failure tags.

[nicpenning]

Do I remove this then?

 - set:
      field: error.message
      value: |-
        Processor "{{ _ingest.on_failure_processor_type }}" with tag "{{ _ingest.on_failure_processor_tag }}" in pipeline "{{ _ingest.on_failure_pipeline }}" failed with message "{{ _ingest.on_failure_message }}"

[efd6]

Yep. If you take the suggestion I started with and replace all of the text in the file from the date processor on with that, then you have what we need.

[nicpenning]

I think I am getting closer. Sorry this one has been a rough go :D

[nicpenning]

Sorry pushing the wrong buttons on my phone. Ready to test?

[efd6]

Can you amend the global on_failure option to set event.kind and use an append in place of a set for error.message?

[nicpenning]

Sorry I forgot to put those back in as intended.

Please give that a go.

[efd6]

Suggested change

	value: |-
	Processor "{{ _ingest.on_failure_processor_type }}" with tag "{{ _ingest.on_failure_processor_tag }}" in pipeline "{{ _ingest.on_failure_pipeline }}" failed with message "{{ _ingest.on_failure_message }}"
	value: "{{ _ingest.on_failure_message }}"

The errors are already formatted in the fail processor.

[nicpenning]

Understood. Updated.

[efd6]

/test

[efd6]

Thanks

[nicpenning]

You are welcome! Thanks for the help!

[elasticmachine]

Package system - 1.24.3 containing this change is available at https://epr.elastic.co/search?package=system

[elasticmachine]

Package winlog - 1.12.2 containing this change is available at https://epr.elastic.co/search?package=winlog