Closed zmoog closed 9 months ago
On CI, the tests runs successfully.
The latest execution was using stack 8.6.0. probably because it's the minimum version in the manifest.yml
file.
If I run the pipeline test on 8.6.0 it succedes:
elastic-package build && elastic-package stack up -d -v --version 8.6.0
$ elastic-package test pipeline -v
2023/09/26 08:42:09 DEBUG Enable verbose logging
2023/09/26 08:42:09 DEBUG latest version (cached): &{v0.87.1 https://github.com/elastic/elastic-package/releases/tag/v0.87.1 2023-09-26 08:18:48.308297 +0200 CEST}
Run pipeline tests for the package
2023/09/26 08:42:09 DEBUG GET https://127.0.0.1:5601/api/status
--- Test results for package: azure - START ---
╭─────────┬─────────────────────┬───────────┬──────────────────────────────────────────────┬────────┬──────────────╮
│ PACKAGE │ DATA STREAM │ TEST TYPE │ TEST NAME │ RESULT │ TIME ELAPSED │
├─────────┼─────────────────────┼───────────┼──────────────────────────────────────────────┼────────┼──────────────┤
│ azure │ activitylogs │ pipeline │ test-activitylogs-edgecases.log │ PASS │ 42.943916ms │
│ azure │ activitylogs │ pipeline │ test-activitylogs-identity.log │ PASS │ 5.074458ms │
│ azure │ activitylogs │ pipeline │ test-activitylogs-raw.log │ PASS │ 8.545917ms │
│ azure │ application_gateway │ pipeline │ test-application-gateway-raw.log │ PASS │ 13.72725ms │
│ azure │ auditlogs │ pipeline │ test-audit-logs-edgecases.log │ PASS │ 14.202416ms │
│ azure │ auditlogs │ pipeline │ test-audit-logs-sample.log │ PASS │ 6.52625ms │
│ azure │ auditlogs │ pipeline │ test-auditlogs-raw.log │ PASS │ 3.444667ms │
│ azure │ eventhub │ pipeline │ test-eventhub-raw.log │ PASS │ 2.444792ms │
│ azure │ firewall_logs │ pipeline │ test-applicationrules-raw.log │ PASS │ 18.128667ms │
│ azure │ firewall_logs │ pipeline │ test-dnsproxyrules-raw.log │ PASS │ 6.014417ms │
│ azure │ firewall_logs │ pipeline │ test-networkrules-raw.log │ PASS │ 12.155334ms │
│ azure │ firewall_logs │ pipeline │ test-sdh3075-raw.log │ PASS │ 3.763208ms │
│ azure │ identity_protection │ pipeline │ test-rickyusers-raw.log │ PASS │ 5.685959ms │
│ azure │ identity_protection │ pipeline │ test-userriskevents-raw.log │ PASS │ 3.838292ms │
│ azure │ platformlogs │ pipeline │ test-platformlogs-edgecases.log │ PASS │ 5.014542ms │
│ azure │ platformlogs │ pipeline │ test-platformlogs-identity-raw.log │ PASS │ 3.183083ms │
│ azure │ platformlogs │ pipeline │ test-platformlogs-invalid-raw.log │ PASS │ 5.379334ms │
│ azure │ platformlogs │ pipeline │ test-platformlogs-kube.log │ PASS │ 3.198375ms │
│ azure │ platformlogs │ pipeline │ test-platformlogs-raw.log │ PASS │ 3.303666ms │
│ azure │ platformlogs │ pipeline │ test-platformlogs-remote-raw.log │ PASS │ 3.062667ms │
│ azure │ provisioning │ pipeline │ test-provisioninglogs-raw.log │ PASS │ 3.927583ms │
│ azure │ signinlogs │ pipeline │ test-managed-identity-sample.log │ PASS │ 37.253708ms │
│ azure │ signinlogs │ pipeline │ test-managed-identity.log │ PASS │ 3.430375ms │
│ azure │ signinlogs │ pipeline │ test-non-interactive-user-sample.log │ PASS │ 18.194167ms │
│ azure │ signinlogs │ pipeline │ test-non-interactive-user-signin.log │ PASS │ 8.793541ms │
│ azure │ signinlogs │ pipeline │ test-non-interactive-user.log │ PASS │ 5.195834ms │
│ azure │ signinlogs │ pipeline │ test-service-principal-signinlogs-sample.log │ PASS │ 6.70975ms │
│ azure │ signinlogs │ pipeline │ test-service-principal.log │ PASS │ 3.260042ms │
│ azure │ signinlogs │ pipeline │ test-signinlogs-raw.log │ PASS │ 5.1635ms │
│ azure │ signinlogs │ pipeline │ test-signinlogs-sample.log │ PASS │ 6.71425ms │
│ azure │ springcloudlogs │ pipeline │ test-springcloudlogs-edgecases.log │ PASS │ 4.247792ms │
│ azure │ springcloudlogs │ pipeline │ test-springcloudlogs-raw.log │ PASS │ 3.130875ms │
╰─────────┴─────────────────────┴───────────┴──────────────────────────────────────────────┴────────┴──────────────╯
--- Test results for package: azure - END ---
Done
Trying to test this using the Dev Tools.
#
# request
#
POST _ingest/pipeline/logs-azure.platformlogs-1.6.0/_simulate
{
"docs": [
{
"_source": {
"tags": [
"parse_message"
],
"@timestamp": "2022-10-04T13:05:22.643+1300",
"message": """{"id": 1}"""
}
}
]
}
#
# Response
#
{
"docs": [
{
"doc": {
"_index": "_index",
"_id": "_id",
"_version": "-3",
"_source": {
"cloud": {
"provider": "azure"
},
"@timestamp": "2022-10-04T13:05:22.643+1300",
"ecs": {
"version": "8.0.0"
},
"event": {
"kind": "event"
},
"tags": [
"parse_message"
],
"azure": {
"platformlogs": {
"id": 1,
"event_category": "Administrative"
}
}
},
"_ingest": {
"timestamp": "2023-09-26T06:53:26.342706008Z"
}
}
}
]
}
#
# request
#
POST _ingest/pipeline/logs-azure.platformlogs-1.6.0/_simulate
{
"docs": [
{
"_source": {
"tags": [
"parse_message"
],
"@timestamp": "2022-10-04T13:05:22.643+1300",
"message": """{"id": 1}, {"id": 2}"""
}
}
]
}
#
# Response
#
{
"docs": [
{
"doc": {
"_index": "_index",
"_id": "_id",
"_version": "-3",
"_source": {
"cloud": {
"provider": "azure"
},
"@timestamp": "2022-10-04T13:05:22.643+1300",
"ecs": {
"version": "8.0.0"
},
"event": {
"kind": "event"
},
"tags": [
"parse_message"
],
"azure": {
"platformlogs": {
"id": 1,
"event_category": "Administrative"
}
}
},
"_ingest": {
"timestamp": "2023-09-26T06:56:33.128092219Z"
}
}
}
]
}
POST _ingest/pipeline/logs-azure.platformlogs-1.6.0/_simulate
{
"docs": [
{
"_source": {
"tags": [
"parse_message"
],
"@timestamp": "2022-10-04T13:05:22.643+1300",
"message": """{"id": 1}, {'I am broken!': yeah} """
}
}
]
}
{
"docs": [
{
"doc": {
"_index": "_index",
"_id": "_id",
"_version": "-3",
"_source": {
"cloud": {
"provider": "azure"
},
"@timestamp": "2022-10-04T13:05:22.643+1300",
"ecs": {
"version": "8.0.0"
},
"event": {
"kind": "event"
},
"tags": [
"parse_message"
],
"azure": {
"platformlogs": {
"id": 1,
"event_category": "Administrative"
}
}
},
"_ingest": {
"timestamp": "2023-09-26T06:58:11.716927667Z"
}
}
}
]
}
On this version the behaviour is different:
#
# Request
#
POST _ingest/pipeline/logs-azure.platformlogs-1.6.0/_simulate
{
"docs": [
{
"_source": {
"tags": [
"parse_message"
],
"@timestamp": "2022-10-04T13:05:22.643+1300",
"message": """{"id": 1}{'I am broken!': yeah} """
}
}
]
}
#
# Response
#
{
"docs": [
{
"doc": {
"_index": "_index",
"_id": "_id",
"_version": "-3",
"_source": {
"@timestamp": "2022-10-04T13:05:22.643+1300",
"ecs": {
"version": "8.0.0"
},
"event": {
"original": """{"id": 1}{'I am broken!': yeah} """,
"kind": "pipeline_error"
},
"error": {
"message": [
"Received invalid json from the Azure Cloud platform. Unable to parse the source log message",
"cannot access method/field [platformlogs] from a null def reference"
]
},
"tags": [
"parse_message",
"preserve_original_event"
]
},
"_ingest": {
"timestamp": "2023-09-26T07:07:47.178085503Z"
}
}
}
]
}
On 8.7, the json
processor added a strict_json_parsing
setting that defaults to true
.
Final check.
If I set [^1] strict_json_parsing: false
on 8.7, I get the 8.6 behaviour:
POST _ingest/pipeline/logs-azure.platformlogs-1.7.0/_simulate
{
"docs": [
{
"_source": {
"tags": [
"parse_message"
],
"@timestamp": "2022-10-04T13:05:22.643+1300",
"message": """{"id": 1}{'I am broken!': yeah} """
}
}
]
}
{
"docs": [
{
"doc": {
"_index": "_index",
"_id": "_id",
"_version": "-3",
"_source": {
"cloud": {
"provider": "azure"
},
"@timestamp": "2022-10-04T13:05:22.643+1300",
"ecs": {
"version": "8.0.0"
},
"event": {
"kind": "event"
},
"tags": [
"parse_message"
],
"azure": {
"platformlogs": {
"id": 1,
"event_category": "Administrative"
}
}
},
"_ingest": {
"timestamp": "2023-09-26T07:53:53.337915339Z"
}
}
}
]
}
[^1]: I had to update the pipeline source code, couldn't find an option in the UI for doing this in Kibana.
If I walk into the Azure Logs package sources:
And run the pipeline tests I get an error: