E2E tests for the plugin.

[mashhurs]

Description

Adds integration tests for ["apache", "m365_defender", "nginx", "tomcat"] integrations, can be easily changeable in main.py

High level description: E2E framework

• downloads latest distribution of the elastic-package
• creates an E2E profile and enables the Logstash
• builds a plugin - this requires Logstash source, so it will also clone LS source and build
• installs plugin, applies config and reloads to apply changes
• clones the integrations package, deploys packages and sends events
• validates with Logstash stats API if elastic_integration plugin processed events. Sometimes, events might get cancelled in integrations, so E2E checks if elastic-package got some errors to make sure the expectation met.
• finally stops containers spinned by elastic-package
• note that while testing if any error occurs, E2E doesn't stop but it reports at the end which package failed with what error

How to test

• Follow the .buildkite/scripts/e2e/README.md file.
• Serverless support also added 🎉 , follow the README.md for the guide.

Integrate with BK CI

• When calling script from the BK pipeline, we need to first resolve STACK_VERSION and export it. This will be resolved through BK pipeline script via ELASTIC_STACK_VERSION (as we use)
• Need prerequisites installed before running execution, pip install -r .buildkite/scripts/e2e/requirements.txt
• Run tests with python .buildkite/scripts/e2e/main.py

Author's checklist

• [x] Make a change in elastic-package to run Logstash with auto config reload. It is very useful when we apply other config in-flight testing, PR: https://github.com/elastic/elastic-package/pull/1668

Logs

• Logs from LS docker container

  Setting 'xpack.monitoring.enabled' from environment.
  Missing plugin logstash-filter-elastic_integration, installing now
  Using bundled JDK: /usr/share/logstash/jdk
  Validating logstash-filter-elastic_integration
  Resolving mixin dependencies
  Installing logstash-filter-elastic_integration
  Installation successful
  Using bundled JDK: /usr/share/logstash/jdk
  /usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/concurrent-ruby-1.1.9/lib/concurrent-ruby/concurrent/executor/java_thread_pool_executor.rb:13: warning: method redefined; discarding old to_int
  /usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/concurrent-ruby-1.1.9/lib/concurrent-ruby/concurrent/executor/java_thread_pool_executor.rb:13: warning: method redefined; discarding old to_f
  Sending Logstash logs to /usr/share/logstash/logs which is now configured via log4j2.properties
  [2024-02-09T22:54:41,182][INFO ][logstash.runner          ] Log4j configuration path used is: /usr/share/logstash/config/log4j2.properties
  [2024-02-09T22:54:41,185][INFO ][logstash.runner          ] Starting Logstash {"logstash.version"=>"8.12.0", "jruby.version"=>"jruby 9.4.5.0 (3.1.4) 2023-11-02 1abae2700f OpenJDK 64-Bit Server VM 17.0.9+9 on 17.0.9+9 +indy +jit [aarch64-linux]"}
  [2024-02-09T22:54:41,186][INFO ][logstash.runner          ] JVM bootstrap flags: [-Xms1g, -Xmx1g, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djruby.compile.invokedynamic=true, -XX:+HeapDumpOnOutOfMemoryError, -Djava.security.egd=file:/dev/urandom, -Dlog4j2.isThreadContextMapInheritable=true, -Dlogstash.jackson.stream-read-constraints.max-string-length=200000000, -Dlogstash.jackson.stream-read-constraints.max-number-length=10000, -Dls.cgroup.cpuacct.path.override=/, -Dls.cgroup.cpu.path.override=/, -Djruby.regexp.interruptible=true, -Djdk.io.File.enableADS=true, --add-exports=jdk.compiler/com.sun.tools.javac.api=ALL-UNNAMED, --add-exports=jdk.compiler/com.sun.tools.javac.file=ALL-UNNAMED, --add-exports=jdk.compiler/com.sun.tools.javac.parser=ALL-UNNAMED, --add-exports=jdk.compiler/com.sun.tools.javac.tree=ALL-UNNAMED, --add-exports=jdk.compiler/com.sun.tools.javac.util=ALL-UNNAMED, --add-opens=java.base/java.security=ALL-UNNAMED, --add-opens=java.base/java.io=ALL-UNNAMED, --add-opens=java.base/java.nio.channels=ALL-UNNAMED, --add-opens=java.base/sun.nio.ch=ALL-UNNAMED, --add-opens=java.management/sun.management=ALL-UNNAMED]
  [2024-02-09T22:54:41,187][INFO ][logstash.runner          ] Jackson default value override `logstash.jackson.stream-read-constraints.max-string-length` configured to `200000000`
  [2024-02-09T22:54:41,187][INFO ][logstash.runner          ] Jackson default value override `logstash.jackson.stream-read-constraints.max-number-length` configured to `10000`
  [2024-02-09T22:54:41,190][INFO ][logstash.settings        ] Creating directory {:setting=>"path.queue", :path=>"/usr/share/logstash/data/queue"}
  [2024-02-09T22:54:41,192][INFO ][logstash.settings        ] Creating directory {:setting=>"path.dead_letter_queue", :path=>"/usr/share/logstash/data/dead_letter_queue"}
  [2024-02-09T22:54:41,278][WARN ][logstash.config.source.multilocal] Ignoring the 'pipelines.yml' file because modules or command line options are specified
  [2024-02-09T22:54:41,283][INFO ][logstash.agent           ] No persistent UUID file found. Generating new UUID {:uuid=>"e8650cfd-7cf4-45fc-82b4-54c807f8f3a6", :path=>"/usr/share/logstash/data/uuid"}
  [2024-02-09T22:54:41,502][INFO ][logstash.agent           ] Successfully started Logstash API endpoint {:port=>9600, :ssl_enabled=>false}
  [2024-02-09T22:54:41,569][INFO ][org.reflections.Reflections] Reflections took 44 ms to scan 1 urls, producing 132 keys and 468 values
  /usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/amazing_print-1.5.0/lib/amazing_print/formatter.rb:37: warning: previous definition of cast was here
  [2024-02-09T22:54:41,711][INFO ][logstash.javapipeline    ] Pipeline `main` is configured with `pipeline.ecs_compatibility: v8` setting. All plugins in this pipeline will default to `ecs_compatibility => v8` unless explicitly configured otherwise.
  [2024-02-09T22:54:41,723][INFO ][logstash.javapipeline    ][main] Starting pipeline {:pipeline_id=>"main", "pipeline.workers"=>5, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50, "pipeline.max_inflight"=>625, "pipeline.sources"=>["/usr/share/logstash/pipeline/logstash.conf"], :thread=>"#<Thread:0x146fb8da /usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:134 run>"}
  [2024-02-09T22:54:41,968][INFO ][logstash.javapipeline    ][main] Pipeline Java execution initialization time {"seconds"=>0.24}
  [2024-02-09T22:54:41,970][INFO ][logstash.inputs.beats    ][main] Starting input listener {:address=>"0.0.0.0:5044"}
  [2024-02-09T22:54:41,973][INFO ][logstash.javapipeline    ][main] Pipeline started {"pipeline.id"=>"main"}
  [2024-02-09T22:54:41,985][INFO ][logstash.agent           ] Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>[]}
  [2024-02-09T22:54:42,005][INFO ][org.logstash.beats.Server][main][0710cad67e8f47667bc7612580d5b91f691dd8262a4187d9eca8cf87229d04aa] Starting server on port: 5044
  [2024-02-09T22:56:18,905][WARN ][logstash.runner          ] SIGTERM received. Shutting down.
  [2024-02-09T22:56:25,069][INFO ][logstash.javapipeline    ][main] Pipeline terminated {"pipeline.id"=>"main"}
  [2024-02-09T22:56:26,008][INFO ][logstash.pipelinesregistry] Removed pipeline from registry successfully {:pipeline_id=>:main}
  [2024-02-09T22:56:26,019][INFO ][logstash.runner          ] Logstash shut down.
  2024/02/09 22:56:26 Setting 'xpack.monitoring.enabled' from environment.
  Using bundled JDK: /usr/share/logstash/jdk
  /usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/concurrent-ruby-1.1.9/lib/concurrent-ruby/concurrent/executor/java_thread_pool_executor.rb:13: warning: method redefined; discarding old to_int
  /usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/concurrent-ruby-1.1.9/lib/concurrent-ruby/concurrent/executor/java_thread_pool_executor.rb:13: warning: method redefined; discarding old to_f
  Sending Logstash logs to /usr/share/logstash/logs which is now configured via log4j2.properties
  [2024-02-09T22:56:37,831][INFO ][logstash.runner          ] Log4j configuration path used is: /usr/share/logstash/config/log4j2.properties
  [2024-02-09T22:56:37,834][INFO ][logstash.runner          ] Starting Logstash {"logstash.version"=>"8.12.0", "jruby.version"=>"jruby 9.4.5.0 (3.1.4) 2023-11-02 1abae2700f OpenJDK 64-Bit Server VM 17.0.9+9 on 17.0.9+9 +indy +jit [aarch64-linux]"}
  [2024-02-09T22:56:37,835][INFO ][logstash.runner          ] JVM bootstrap flags: [-Xms1g, -Xmx1g, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djruby.compile.invokedynamic=true, -XX:+HeapDumpOnOutOfMemoryError, -Djava.security.egd=file:/dev/urandom, -Dlog4j2.isThreadContextMapInheritable=true, -Dlogstash.jackson.stream-read-constraints.max-string-length=200000000, -Dlogstash.jackson.stream-read-constraints.max-number-length=10000, -Dls.cgroup.cpuacct.path.override=/, -Dls.cgroup.cpu.path.override=/, -Djruby.regexp.interruptible=true, -Djdk.io.File.enableADS=true, --add-exports=jdk.compiler/com.sun.tools.javac.api=ALL-UNNAMED, --add-exports=jdk.compiler/com.sun.tools.javac.file=ALL-UNNAMED, --add-exports=jdk.compiler/com.sun.tools.javac.parser=ALL-UNNAMED, --add-exports=jdk.compiler/com.sun.tools.javac.tree=ALL-UNNAMED, --add-exports=jdk.compiler/com.sun.tools.javac.util=ALL-UNNAMED, --add-opens=java.base/java.security=ALL-UNNAMED, --add-opens=java.base/java.io=ALL-UNNAMED, --add-opens=java.base/java.nio.channels=ALL-UNNAMED, --add-opens=java.base/sun.nio.ch=ALL-UNNAMED, --add-opens=java.management/sun.management=ALL-UNNAMED]
  [2024-02-09T22:56:37,836][INFO ][logstash.runner          ] Jackson default value override `logstash.jackson.stream-read-constraints.max-string-length` configured to `200000000`
  [2024-02-09T22:56:37,836][INFO ][logstash.runner          ] Jackson default value override `logstash.jackson.stream-read-constraints.max-number-length` configured to `10000`
  [2024-02-09T22:56:37,922][WARN ][logstash.config.source.multilocal] Ignoring the 'pipelines.yml' file because modules or command line options are specified
  [2024-02-09T22:56:38,177][INFO ][logstash.agent           ] Successfully started Logstash API endpoint {:port=>9600, :ssl_enabled=>false}
  [2024-02-09T22:56:38,308][INFO ][org.reflections.Reflections] Reflections took 59 ms to scan 1 urls, producing 132 keys and 468 values
  [2024-02-09T22:56:38,475][INFO ][logstash.javapipeline    ] Pipeline `main` is configured with `pipeline.ecs_compatibility: v8` setting. All plugins in this pipeline will default to `ecs_compatibility => v8` unless explicitly configured otherwise.
  [2024-02-09T22:56:38,482][INFO ][logstash.outputs.elasticsearch][main] New Elasticsearch output {:class=>"LogStash::Outputs::ElasticSearch", :hosts=>["https://elasticsearch:9200"]}
  [2024-02-09T22:56:38,484][WARN ][logstash.outputs.elasticsearch][main] You have enabled encryption but DISABLED certificate verification, to make sure your data is secure set `ssl_verification_mode => full`
  [2024-02-09T22:56:38,528][INFO ][logstash.outputs.elasticsearch][main] Elasticsearch pool URLs updated {:changes=>{:removed=>[], :added=>[https://elastic:xxxxxx@elasticsearch:9200/]}}
  [2024-02-09T22:56:38,651][WARN ][logstash.outputs.elasticsearch][main] Restored connection to ES instance {:url=>"https://elastic:xxxxxx@elasticsearch:9200/"}
  [2024-02-09T22:56:38,652][INFO ][logstash.outputs.elasticsearch][main] Elasticsearch version determined (8.12.0) {:es_version=>8}
  [2024-02-09T22:56:38,652][WARN ][logstash.outputs.elasticsearch][main] Detected a 6.x and above cluster: the `type` event field won't be used to determine the document _type {:es_version=>8}
  [2024-02-09T22:56:38,659][INFO ][logstash.outputs.elasticsearch][main] Data streams auto configuration (`data_stream => auto` or unset) resolved to `true`
  [2024-02-09T22:56:38,735][INFO ][co.elastic.logstash.filters.elasticintegration.PreflightCheck][main] Elasticsearch build_flavor: default
  [2024-02-09T22:56:38,738][INFO ][logstash.filters.elasticintegration][main] by not manually configuring self-managed databases with `geoip_database_directory => ...` you accept and agree to the MaxMind EULA, which allows Elastic Integrations to use Logstash's Geoip Database Management service. For more details please visit https://www.maxmind.com/en/geolite2/eula
  [2024-02-09T22:56:42,480][INFO ][logstash.geoipdatabasemanagement.manager][main] managed geoip database has been updated on disk {:database_type=>"ASN", :database_path=>"/usr/share/logstash/data/geoip_database_management/1707519398/GeoLite2-ASN.mmdb"}
  [2024-02-09T22:56:42,604][INFO ][logstash.geoipdatabasemanagement.manager][main] managed geoip database has been updated on disk {:database_type=>"City", :database_path=>"/usr/share/logstash/data/geoip_database_management/1707519398/GeoLite2-City.mmdb"}
  [2024-02-09T22:56:43,363][INFO ][co.elastic.logstash.filters.elasticintegration.PreflightCheck][main] Elasticsearch license OK (active trial)
  [2024-02-09T22:56:43,376][INFO ][logstash.javapipeline    ][main] Starting pipeline {:pipeline_id=>"main", "pipeline.workers"=>5, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50, "pipeline.max_inflight"=>625, "pipeline.sources"=>["/usr/share/logstash/pipeline/logstash.conf"], :thread=>"#<Thread:0x678c4bf5 /usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:134 run>"}
  [2024-02-09T22:56:43,701][INFO ][logstash.javapipeline    ][main] Pipeline Java execution initialization time {"seconds"=>0.32}
  [2024-02-09T22:56:43,704][INFO ][logstash.inputs.beats    ][main] Starting input listener {:address=>"0.0.0.0:5044"}
  [2024-02-09T22:56:43,709][INFO ][logstash.javapipeline    ][main] Pipeline started {"pipeline.id"=>"main"}
  [2024-02-09T22:56:43,714][INFO ][logstash.agent           ] Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>[]}
  [2024-02-09T22:56:43,776][INFO ][org.logstash.beats.Server][main][165fa0a2930fbc993b433bccdff6f17eda3c60c67a00b3bf8de46c4e17f46b60] Starting server on port: 5044
  /usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/manticore-0.9.1-java/lib/manticore/client.rb:284: warning: already initialized constant Manticore::Client::HttpPost
  /usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/manticore-0.9.1-java/lib/manticore/client.rb:284: warning: already initialized constant Manticore::Client::HttpPost
  /usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/manticore-0.9.1-java/lib/manticore/client.rb:534: warning: already initialized constant Manticore::Client::ByteArrayEntity
  /usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/manticore-0.9.1-java/lib/manticore/client.rb:534: warning: already initialized constant Manticore::Client::ByteArrayEntity
  /usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/manticore-0.9.1-java/lib/manticore/client.rb:534: warning: already initialized constant Manticore::Client::ByteArrayEntity
  [2024-02-09T22:59:43,330][INFO ][co.elastic.logstash.filters.elasticintegration.resolver.SimpleResolverCache][main] reload-modified(pipeline-name) { logs-apache.error-ep }
  [2024-02-09T22:59:43,335][INFO ][co.elastic.logstash.filters.elasticintegration.resolver.SimpleResolverCache][main] reload-removed(pipeline-name) { metrics-apache.status-ep }
  [2024-02-09T22:59:43,341][INFO ][co.elastic.logstash.filters.elasticintegration.resolver.SimpleResolverCache][main] reload-modified(pipeline-name) { logs-apache.access-ep }
  [2024-02-09T23:01:32,342][WARN ][logstash.outputs.elasticsearch][main][5ea89be67a6b5f51750acc249510be80c88a895ba4b41c360acd7692541c8898] Failed action {:status=>409, :action=>["create", {:_id=>"LkXX+iwFcjtJ1LDVV4s6X5srU0I=", :_index=>"logs-m365_defender.log-ep", :routing=>nil, :pipeline=>"_none"}, {"host"=>{"name"=>["user5cx.middleeast.corp.contoso.com"]}, "data_stream"=>{"type"=>"logs", "dataset"=>"m365_defender.log", "namespace"=>"ep"}, "event"=>{"created"=>"2020-09-06T12:18:03.6266667Z", "severity"=>2, "action"=>"Malware", "timezone"=>"UTC", "start"=>"2020-09-06T12:15:07.7272048Z", "duration"=>0, "provider"=>"MicrosoftDefenderATP", "original"=>"{\"alerts\":{\"actorName\":null,\"alertId\":\"da637349914833441527_393341063\",\"assignedTo\":null,\"category\":\"Malware\",\"classification\":null,\"creationTime\":\"2020-09-06T12:18:03.3285366Z\",\"description\":\"Readily available tools, such as hacking programs, can be used by unauthorized individuals to spy on users. When used by attackers, these tools are often installed without authorization and used to compromise targeted machines.\\n\\nThese tools are often used to collect personal information from browser records, record key presses, access email and instant messages, record voice and video conversations, and take screenshots.\\n\\nThis detection might indicate that Windows Defender Antivirus has stopped the tool from being installed and used effectively. However, it is prudent to check the machine for the files and processes associated with the detected tool.\",\"detectionSource\":\"WindowsDefenderAv\",\"determination\":null,\"devices\":[{\"aadDeviceId\":null,\"deviceDnsName\":\"user5cx.middleeast.corp.contoso.com\",\"firstSeen\":\"2020-02-06T14:16:01.9330135Z\",\"healthStatus\":\"Active\",\"mdatpDeviceId\":\"24c222b0b60fe148eeece49ac83910cc6a7ef491\",\"osBuild\":14393,\"osPlatform\":\"WindowsServer2016\",\"osProcessor\":\"x64\",\"rbacGroupId\":9,\"rbacGroupName\":\"WDATP-Ring0\",\"riskScore\":\"High\",\"version\":\"1607\"}],\"entities\":{\"aadUserId\":null,\"accountName\":null,\"clusterBy\":null,\"deliveryAction\":null,\"deviceId\":\"24c222b0b60fe148eeece49ac83910cc6a7ef491\",\"domainName\":null,\"entityType\":\"File\",\"fileName\":\"Detector.UnitTests.dll\",\"filePath\":\"C:\\\\Agent\\\\_work\\\\_temp\\\\Deploy_SYSTEM 2020-09-06 12_14_54\\\\Out\",\"ipAddress\":null,\"mailboxAddress\":null,\"mailboxDisplayName\":null,\"parentProcessCreationTime\":null,\"parentProcessId\":null,\"processCommandLine\":null,\"processCreationTime\":null,\"processId\":null,\"recipient\":null,\"registryHive\":null,\"registryKey\":null,\"registryValue\":null,\"registryValueType\":null,\"securityGroupId\":null,\"securityGroupName\":null,\"sender\":null,\"sha1\":\"5de839186691aa96ee2ca6d74f0a38fb8d1bd6dd\",\"sha256\":null,\"subject\":null,\"url\":null,\"userPrincipalName\":null,\"userSid\":null},\"firstActivity\":\"2020-09-06T12:15:07.7272048Z\",\"incidentId\":924521,\"investigationId\":null,\"investigationState\":\"UnsupportedOs\",\"lastActivity\":\"2020-09-06T12:15:07.7272048Z\",\"lastUpdatedTime\":\"2020-09-06T12:18:04.2566667Z\",\"mitreTechniques\":[],\"resolvedTime\":null,\"serviceSource\":\"MicrosoftDefenderATP\",\"severity\":\"Low\",\"status\":\"New\",\"threatFamilyName\":\"Mimikatz\",\"title\":\"'Mimikatz' hacktool was detected\"},\"assignedTo\":null,\"classification\":\"Unknown\",\"comments\":[],\"createdTime\":\"2020-09-06T12:18:03.6266667Z\",\"determination\":\"NotAvailable\",\"incidentId\":924521,\"incidentName\":\"'Mimikatz' hacktool was detected on one endpoint\",\"lastUpdateTime\":\"2020-09-06T12:18:03.81Z\",\"redirectIncidentId\":null,\"severity\":\"Low\",\"status\":\"Active\",\"tags\":[]}", "end"=>"2020-09-06T12:15:07.7272048Z", "type"=>["info"], "kind"=>"alert", "category"=>["host"], "id"=>"da637349914833441527_393341063", "dataset"=>"m365_defender.log"}, "file"=>{"path"=>"C:\\Agent\\_work\\_temp\\Deploy_SYSTEM 2020-09-06 12_14_54\\Out", "hash"=>{"sha1"=>"5de839186691aa96ee2ca6d74f0a38fb8d1bd6dd"}, "name"=>"Detector.UnitTests.dll"}, "related"=>{"hash"=>["5de839186691aa96ee2ca6d74f0a38fb8d1bd6dd"], "hosts"=>["user5cx.middleeast.corp.contoso.com"]}, "input"=>{"type"=>"httpjson"}, "@timestamp"=>2020-09-06T12:18:03.810Z, "agent"=>{"ephemeral_id"=>"98a8096b-a580-47bf-b832-8d47d979a5a1", "type"=>"filebeat", "version"=>"8.12.0", "name"=>"docker-fleet-agent", "id"=>"c71ca1b4-a8a4-40f0-8d52-be54e852feae"}, "process"=>{"parent"=>{}}, "threat"=>{"framework"=>"MITRE ATT&CK", "technique"=>{"name"=>["Malware"]}}, "m365_defender"=>{"determination"=>"NotAvailable", "incidentName"=>"'Mimikatz' hacktool was detected on one endpoint", "classification"=>"Unknown", "status"=>"Active", "alerts"=>{"entities"=>{"entityType"=>"File", "deviceId"=>"24c222b0b60fe148eeece49ac83910cc6a7ef491"}, "devices"=>[{"osBuild"=>14393, "deviceDnsName"=>"user5cx.middleeast.corp.contoso.com", "rbacGroupName"=>"WDATP-Ring0", "mdatpDeviceId"=>"24c222b0b60fe148eeece49ac83910cc6a7ef491", "version"=>"1607", "healthStatus"=>"Active", "osProcessor"=>"x64", "rbacGroupId"=>9, "riskScore"=>"High", "firstSeen"=>"2020-02-06T14:16:01.9330135Z", "osPlatform"=>"WindowsServer2016"}], "severity"=>"Low", "lastUpdatedTime"=>"2020-09-06T12:18:04.2566667Z", "status"=>"New", "investigationState"=>"UnsupportedOs", "creationTime"=>"2020-09-06T12:18:03.3285366Z", "threatFamilyName"=>"Mimikatz", "detectionSource"=>"WindowsDefenderAv", "incidentId"=>"924521"}, "incidentId"=>"924521"}, "elastic_agent"=>{"snapshot"=>false, "version"=>"8.12.0", "id"=>"c71ca1b4-a8a4-40f0-8d52-be54e852feae"}, "cloud"=>{"provider"=>"azure"}, "tags"=>["preserve_original_event", "m365_defender", "forwarded", "beats_input_codec_plain_applied"], "rule"=>{"description"=>"Readily available tools, such as hacking programs, can be used by unauthorized individuals to spy on users. When used by attackers, these tools are often installed without authorization and used to compromise targeted machines.\n\nThese tools are often used to collect personal information from browser records, record key presses, access email and instant messages, record voice and video conversations, and take screenshots.\n\nThis detection might indicate that Windows Defender Antivirus has stopped the tool from being installed and used effectively. However, it is prudent to check the machine for the files and processes associated with the detected tool."}, "message"=>"'Mimikatz' hacktool was detected", "observer"=>{"product"=>"365 Defender", "name"=>"MicrosoftDefenderATP", "vendor"=>"Microsoft"}, "user"=>{}, "ecs"=>{"version"=>"8.11.0"}}], :response=>{"create"=>{"status"=>409, "error"=>{"type"=>"version_conflict_engine_exception", "reason"=>"[LkXX+iwFcjtJ1LDVV4s6X5srU0I=]: version conflict, document already exists (current version [1])", "index_uuid"=>"ZAsWJ_avTHyPb4KwHEzlyQ", "shard"=>"0", "index"=>".ds-logs-m365_defender.log-ep-2024.02.09-000001"}}}}
  [2024-02-09T23:02:43,352][INFO ][co.elastic.logstash.filters.elasticintegration.resolver.SimpleResolverCache][main] reload-modified(pipeline-name) { logs-m365_defender.incident-ep }
  [2024-02-09T23:02:43,378][INFO ][co.elastic.logstash.filters.elasticintegration.resolver.SimpleResolverCache][main] reload-modified(pipeline-name) { logs-m365_defender.log-ep }
  [2024-02-09T23:02:43,383][INFO ][co.elastic.logstash.filters.elasticintegration.resolver.SimpleResolverCache][main] reload-modified(pipeline-name) { logs-m365_defender.alert-ep }
  [2024-02-09T23:03:43,336][INFO ][co.elastic.logstash.filters.elasticintegration.resolver.SimpleResolverCache][main] reload-modified(pipeline-name) { logs-nginx.access-ep }
  [2024-02-09T23:03:43,352][INFO ][co.elastic.logstash.filters.elasticintegration.resolver.SimpleResolverCache][main] reload-modified(pipeline-name) { logs-nginx.error-ep }
  [2024-02-09T23:04:43,397][INFO ][co.elastic.logstash.filters.elasticintegration.resolver.SimpleResolverCache][main] reload-removed(pipeline-name) { metrics-nginx.stubstatus-ep }

[mashhurs]

Functionally this looks good. I left some optional comments.

When running the tests locally, using the instructions in the README file, I noticed there were some errors in the output:

Error: one or more test cases failed
Internal failure happened with nginx, process return code: 1.
--- Test results for package: nginx - START ---
FAILURE DETAILS:
nginx/access default (variant: v1):
[0] field "message" is undefined

╭─────────┬─────────────┬───────────┬───────────────────────┬────────────────────────────────────────────────────────────────────────────────────────┬───────────────╮
│ PACKAGE │ DATA STREAM │ TEST TYPE │ TEST NAME             │ RESULT                                                                                 │  TIME ELAPSED │
├─────────┼─────────────┼───────────┼───────────────────────┼────────────────────────────────────────────────────────────────────────────────────────┼───────────────┤
│ nginx   │ access      │ system    │ default (variant: v1) │ FAIL: one or more errors found in documents stored in logs-nginx.access-ep data stream │ 48.090519211s │
│ nginx   │ error       │ system    │ default (variant: v1) │ PASS                                                                                   │ 36.341966511s │
│ nginx   │ stubstatus  │ system    │ default (variant: v1) │ PASS                                                                                   │ 31.301999294s │
╰─────────┴─────────────┴───────────┴───────────────────────┴────────────────────────────────────────────────────────────────────────────────────────┴───────────────╯
--- Test results for package: nginx - END   ---
Done

however, the script finished successfully:

...
Stopping elastic-package stack...
Take down the Elastic stack
Done
$ echo $?
0

Shouldn't the above test failure have caused the script to fail too?

This result is coming from internal elastic-package, not from elastic_integration or es-output plugins. If you take a look more logs, you will be able to see how many events plugins processed. Some of events may get rejected by ES and that is caught by elastic-package. Every integration behavior is different and may require different setting especially in es-output side (ECS compatibility, ILM, datastream, etc...). So, with current E2E tests, we are more focusing on running integrations with elastic_integration plugin, may extend to output plugins. Current failure looks because ECS is enabled by default and the data is in event.original. If any failure happens with this, tests fail, otherwise prints out every possible failures (elastic-package, es-output, etc...) for better visibility.

[dliappis]

This result is coming from internal elastic-package, not from elastic_integration or es-output plugins. If you take a look more logs, you will be able to see how many events plugins processed. Some of events may get rejected by ES and that is caught by elastic-package. Every integration behavior is different and may require different setting especially in es-output side (ECS compatibility, ILM, datastream, etc...). So, with current E2E tests, we are more focusing on running integrations with elastic_integration plugin, may extend to output plugins. Current failure looks because ECS is enabled by default and the data is in event.original. If any failure happens with this, tests fail, otherwise prints out every possible failures (elastic-package, es-output, etc...) for better visibility.

Thanks for the clarification. This is alright for now, but I fear it could be trappy behaviour for someone not familiar with the test troubleshooting a failed CI job where there is a genuine error like the one you described above, plus the above nginx error which should be ignored (but how would the person triaging know about it? should we address this in a troubleshooting guide here or at a later PR?)

[elasticmachine]

:green_heart: Build Succeeded

• Buildkite Build
• Commit: 98fefa6551f42b3a596b09d772d5326680b5fa31

History

• :green_heart: Build #296 succeeded a4e95b4ac43e9d8b114ba1d9d2cc329fb7395a40
• :green_heart: Build #295 succeeded a80685cf5c34c28624e7cc519a7da0cfc28cb51c
• :green_heart: Build #294 succeeded 727f9758065a1625d2ca415efbf5db4ed6e80d3b
• :green_heart: Build #293 succeeded 50569d268173f54e57ca91813182e81a23c83a46
• :green_heart: Build #289 succeeded 0c8b0998c8c3dacebb39cc64915ab2599d937820
• :green_heart: Build #288 succeeded e88a5cb8031103bce23e847f20cd862a9c77c833

cc @mashhurs

[mashhurs]

🎉 First 🟢 actual CI