[QNAP]: Add support for access logs with user.domain and event logs without any associated user and ip address#17408
[QNAP]: Add support for access logs with user.domain and event logs without any associated user and ip address#17408maximilianpohle wants to merge 4 commits intoelastic:mainfrom
Conversation
|
💚 CLA has been signed |
|
CLA is signed. |
bhapas
left a comment
bhapas
left a comment
There was a problem hiding this comment.
Please update changelog and create a new version.
andrewkroh
added
Integration:qnap_nas
|
Pinging @elastic/integration-experience (Team:Integration-Experience) |
ilyannn
left a comment
ilyannn
left a comment
There was a problem hiding this comment.
Please run elastic-package build and commit the updated docs/README.md
packages/qnap_nas/data_stream/log/_dev/test/pipeline/test-access.log-expected.json
Show resolved
Hide resolved
✅ Vale Linting ResultsNo issues found on modified lines! The Vale linter checks documentation changes against the Elastic Docs style guide. To use Vale locally or report issues, refer to Elastic style guide for Vale. |
|
/test |
1 similar comment
|
/test |
🚀 Benchmarks reportTo see the full report comment with |
ilyannn
left a comment
ilyannn
left a comment
There was a problem hiding this comment.
I don't have any issues but will defer to others on the grok pattern
| - '^%{SHARED}, Connection type: %{DATA:qnap.nas.connection_type}, Accessed resources: %{RESOURCE}, Action: %{DATA:event.action}$' | ||
| pattern_definitions: | ||
| SHARED: 'Users: %{USER:user.name}, Source IP: (127.0.0.1|%{IP:source.address}), Computer name: (---|%{HOSTNAME:source.domain})' | ||
| SHARED: 'Users: (---|(%{WORD:user.domain}\\)?%{USER:user.name}), Source IP: (---|127.0.0.1|%{IP:source.address}), Computer name: (---|%{HOSTNAME:source.domain})' |
There was a problem hiding this comment.
Will WORDbe too restrictive here? Is the domain guaranteed to not have a .? This won't match the pattern if it includes one. If domain is a NETBIOS-style name, then WORD will be fine.
There was a problem hiding this comment.
I haven’t seen any domains with dots in the logs, so it would probably be fine—but I switched it to DATA anyway to match the pattern used in other integrations and avoid any edge cases.
andrewkroh
added
the
documentation
|
/test |
💚 Build Succeeded
History
|
7 participants
Add support for access logs with user.domain and event logs without any associated user and ip address.
Added additional sample event logs as well.
Proposed commit message
Checklist
changelog.ymlfile.Author's Checklist
How to test this PR locally
Related issues
Screenshots