Open cpascale43 opened 2 months ago
Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)
Hey @narph - we got some log samples from them - they also offered to give us access to an S3 bucket in case we want more. Let me know if that would be helpful.
All three inputs handle gzip compressed data, but the data being sent in the compressed container differs significantly from the data that we currently handle. The current data is in a line-based JSON stream format, while the examples provided are in a headered CSV (using space (\u20
) as the comma). None of the inputs currently support CSV of any flavour; gcs assumes JSON, as does the azure blob storage, while aws has a configurable parquet decoder.
Hi @efd6 thanks for taking a look. It sounds like we will need to add CSV support to our cloud storage inputs, and then add new datastreams/pipelines to the Netskope integration to support those events?
First, I am confirming that CSV is definitely the format they'll be using long-term, and they aren't planning on supporting JSON from cloud storage.
@cpascale43 Thanks
Sharing the context received from Netskope:
Netskope is changing how they deliver logs/events and wants us to support ingesting these through cloud storage (S3, Azure Blob, GCP). They have indicated the logs will be in a compressed format, likely gzip. We need to test our existing S3, Azure Blob, and GCP inputs against the new format.
The key tasks are: