zmoog
commented
1 year ago Hey @cFire, thank you for working on a fix for this issue!
It doesn't need to be perfect! Feel free to create a draft PR with the work you have already done and mention me, so we can work on it together to see if we can improve it.
Besides the fix, please consider adding sample logs for the automated tests.
Currently the activitylogs, platformlogs and auditlogs filesets have an ingest pipeline which uses GROK patterns to parse the source.ip field, however this breaks for IPv6 addresses. (
[...]failed to parse field [source.ip] of type [ip] in document with id xxxxxxx. . Preview of field's value: '2001'[...]).We have implemented a workaround by adding
%{IPV6:source.ip}to the grok patterns in the ingest pipelines for these filesets, which is a little bit hacky since we're modifying automatically loaded pipelines that change with every filebeat version.We'd be happy to create a pull request for this so we can go back to just using the regular pipeline management, but I'm not sure if this would be considered an acceptable workaround to have upstreamed. Could you please advise if we should open a pull request for this or not?