Skip to content

checkpoint: test and support R81 logs #5440

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Mar 8, 2023
Merged

checkpoint: test and support R81 logs #5440

merged 4 commits into from
Mar 8, 2023

Conversation

efd6
Copy link
Contributor

@efd6 efd6 commented Mar 6, 2023

What does this PR do?

This adds minimal representors of a corpus of ~3300 events from an R81.20 appliance. Some additional field definitions are added and missing type conversions for icmp_code and icmp_type are added.

In addition to this there was one case of a log line containing more than one time field. This line does not appear to be corrupted and has an outzonlags which may explain the presence of two times. Additional processing is added to support multiple times.

Finally error handling in script and kv processors is enhanced.

Corpus is available on request.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.

Author's Checklist

  • [ ]

How to test this PR locally

Related issues

Screenshots

@efd6 efd6 self-assigned this Mar 6, 2023
@efd6 efd6 force-pushed the 5079-checkpoint branch from d3eb138 to f8cb2d5 Compare March 6, 2023 03:04
@elasticmachine
Copy link

elasticmachine commented Mar 6, 2023
edited
Loading

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS
Pipeline View Test View Changes Artifacts preview preview

Expand to view the summary

Build stats

  • Start Time: 2023-03-08T10:29:57.187+0000

  • Duration: 17 min 46 sec

Test stats 🧪

Test Results
Failed 0
Passed 12
Skipped 0
Total 12

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

  • /test : Re-trigger the build.

@efd6 efd6 force-pushed the 5079-checkpoint branch from f8cb2d5 to e08c13b Compare March 6, 2023 03:26
@elasticmachine
Copy link

elasticmachine commented Mar 6, 2023
edited
Loading

🌐 Coverage report

Name Metrics % (covered/total) Diff
Packages 100.0% (1/1) 💚
Files 100.0% (1/1) 💚
Classes 100.0% (1/1) 💚
Methods 100.0% (17/17) 💚 66.667
Lines 87.379% (900/1030) 👎 -12.621
Conditionals 100.0% (0/0) 💚

@efd6 efd6 marked this pull request as ready for review March 6, 2023 04:55
@efd6 efd6 requested a review from a team as a code owner March 6, 2023 04:55
@elasticmachine
Copy link

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

@efd6 efd6 force-pushed the 5079-checkpoint branch from e08c13b to f4a092a Compare March 6, 2023 05:04
@efd6
checkpoint: test and support R81 logs
2ee2ef3 
This adds minimal representors of a corpus of ~3300 events from an R81.20
appliance. Some additional field definitions are added and missing type
conversions for icmp_code and icmp_type are added.

In addition to this there was one case of a log line containing more than one
time field. This line does not appear to be corrupted and has an outzonlags
which may explain the presence of two times. Additional processing is added
to support multiple times.

Finally error handling in script and kv processors is enhanced.
@efd6 efd6 force-pushed the 5079-checkpoint branch from f4a092a to 2ee2ef3 Compare March 7, 2023 03:16
@jamiehynds
Copy link

Thanks for working through this one @efd6. We'll also need to adjust the compatibility section of our docs to indicate support for R81. We can drop all mention of R77.30 as it's end of life.

@efd6
Copy link
Contributor Author

efd6 commented Mar 7, 2023

R81 is listed there, I'll remove R77.

@efd6 efd6 mentioned this pull request Mar 8, 2023
Merged
5 tasks
kcreddy
kcreddy reviewed Mar 8, 2023
View reviewed changes
@jamiehynds
Copy link

R81 is listed there, I'll remove R77.

@efd6 I only see a reference to R80 - "This module has been tested against Check Point Log Exporter on R80.X but should also work with R77.30."

@efd6
Copy link
Contributor Author

efd6 commented Mar 8, 2023

@jamiehynds In this change:

https://github.com/elastic/integrations/pull/5440/files#diff-5fb552715f306989284fc752ff67126271ad4742e795753cbe5287e46b27db73R12

https://github.com/elastic/integrations/pull/5440/files#diff-8b72ce11f0820ed604699ac39afe629fb3a3d6a48855b3797063e5411cbd6e8fR12

@efd6 efd6 requested a review from kcreddy March 8, 2023 10:30
@efd6 efd6 merged commit de69055 into elastic:main Mar 8, 2023
@elasticmachine
Copy link

Package checkpoint - 1.16.0 containing this change is available at https://epr.elastic.co/search?package=checkpoint

3 similar comments
@elasticmachine
Copy link

Package checkpoint - 1.16.0 containing this change is available at https://epr.elastic.co/search?package=checkpoint

@elasticmachine
Copy link

Package checkpoint - 1.16.0 containing this change is available at https://epr.elastic.co/search?package=checkpoint

@elasticmachine
Copy link

Package checkpoint - 1.16.0 containing this change is available at https://epr.elastic.co/search?package=checkpoint

agithomas pushed a commit to agithomas/integrations that referenced this pull request Mar 20, 2023
@efd6 @agithomas
checkpoint: test and support R81 logs (elastic#5440)
5a8fbf0 
This adds minimal representors of a corpus of ~3300 events from an R81.20
appliance. Some additional field definitions are added and missing type
conversions for icmp_code and icmp_type are added.

In addition to this there was one case of a log line containing more than one
time field. This line does not appear to be corrupted and has an outzonlags
which may explain the presence of two times. Additional processing is added
to support multiple times.

Finally error handling in script and kv processors is enhanced.
agithomas pushed a commit to agithomas/integrations that referenced this pull request Mar 21, 2023
@efd6 @agithomas
checkpoint: test and support R81 logs (elastic#5440)
bb415aa 
This adds minimal representors of a corpus of ~3300 events from an R81.20
appliance. Some additional field definitions are added and missing type
conversions for icmp_code and icmp_type are added.

In addition to this there was one case of a log line containing more than one
time field. This line does not appear to be corrupted and has an outzonlags
which may explain the presence of two times. Additional processing is added
to support multiple times.

Finally error handling in script and kv processors is enhanced.
@efd6 efd6 deleted the 5079-checkpoint branch February 5, 2025 22:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kcreddy kcreddy kcreddy approved these changes

Assignees

@efd6 efd6

Labels
enhancement New feature or request Integration:checkpoint Check Point
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Check Point] R81 Support
4 participants
@efd6 @elasticmachine @jamiehynds @kcreddy