Thanks to visit codestin.com
Credit goes to github.com

Skip to content

[Faitour] Initial Push of Beta Integration #13304

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 16 commits into from
Closed

[Faitour] Initial Push of Beta Integration #13304

wants to merge 16 commits into from

Conversation

MakoWish
Copy link
Contributor

@MakoWish MakoWish commented Mar 25, 2025
edited
Loading

Type of change

  • Enhancement

Proposed commit message

This is an initial push for a new Integration Faitour: MakoWish/Faitour

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

Author's Checklist

  • Dashboards will be created once the beta is released and available

@MakoWish MakoWish marked this pull request as ready for review March 25, 2025 15:45
@andrewkroh andrewkroh added the New Integration Issue or pull request for creating a new integration package. label Mar 25, 2025
@botelastic
Copy link

botelastic bot commented Apr 24, 2025

Hi! We just realized that we haven't looked into this PR in a while. We're sorry! We're labeling this issue as Stale to make it hit our filters and make sure we get back to it as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1. Thank you for your contribution!

@botelastic botelastic bot added the Stalled label Apr 24, 2025
@MakoWish
Copy link
Contributor Author

This is still relevant, and I would like to see it merged. Is there anything else needed on my end to get this approved?

@botelastic botelastic bot removed the Stalled label Apr 25, 2025
@MakoWish MakoWish requested a review from a team as a code owner May 13, 2025 23:47
@efd6 efd6 requested a review from a team May 14, 2025 00:06
@efd6 efd6 added the Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] label May 14, 2025
@elasticmachine
Copy link

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

efd6
efd6 reviewed May 14, 2025
View reviewed changes
packages/faitour/data_stream/application/fields/agent.yml
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there supposed to be an ingest pipeline and tests associated with this data stream?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I took this idea from a different integration that did the same (I forget which). Since I am using two different datasets for the application logs and the honeypot events, the integration tests fail if there is not also a second dataset defined. The one ingest pipeline under honeypot handles all the events.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Have you confirmed that this works in a real set-up?

@efd6
Copy link
Contributor

efd6 commented May 14, 2025

/test

@efd6
Copy link
Contributor

efd6 commented May 14, 2025

Forgot to mention; this will need to have a line added to .github/CODEOWNERS.

MakoWish and others added 12 commits May 14, 2025 12:20
@MakoWish @efd6
Update packages/faitour/_dev/build/docs/README.md
383d108 
Commit suggested changes to README.md from code review.

Co-authored-by: Dan Kortschak <[email protected]>
@MakoWish @efd6
Update packages/faitour/changelog.yml
4000777 
Commit suggested change to changelog.yml from code review.

Co-authored-by: Dan Kortschak <[email protected]>
@MakoWish @efd6
Update packages/faitour/_dev/deploy/docker/docker-compose.yml
f1f9736 
Co-authored-by: Dan Kortschak <[email protected]>
@MakoWish
Reduce number of test events
c7e5730
@MakoWish
Merge branch 'faitour' of https://github.com/MakoWish/integrations in…
a13ccc5 
…to faitour
@MakoWish
Merge branch 'elastic:main' into faitour
16fb9a3
@MakoWish
Merge branch 'faitour' of https://github.com/MakoWish/integrations in…
e13384d 
…to faitour
@MakoWish @efd6
Update packages/faitour/_dev/build/build.yml
a60bd27 
Co-authored-by: Dan Kortschak <[email protected]>
@MakoWish @efd6
Update packages/faitour/data_stream/honeypot/_dev/test/pipeline/test-…
7db1a3a 
…common-config.yml

Co-authored-by: Dan Kortschak <[email protected]>
@MakoWish @efd6
Update packages/faitour/data_stream/honeypot/_dev/test/pipeline/test-…
3500bf6 
…common-config.yml

Co-authored-by: Dan Kortschak <[email protected]>
@MakoWish
Merge branch 'faitour' of https://github.com/MakoWish/integrations in…
2eace54 
…to faitour
@MakoWish
Change for code review.
543abfb
@MakoWish
Copy link
Contributor Author

All suggested changes have been made.

@efd6
Copy link
Contributor

efd6 commented May 14, 2025

/test

efd6
efd6 reviewed May 14, 2025
View reviewed changes
@efd6
Copy link
Contributor

efd6 commented May 14, 2025

You will need to re-run elastic-package build.

@efd6
Copy link
Contributor

efd6 commented May 15, 2025

/test

@elastic-vault-github-plugin-prod
Copy link

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

efd6
efd6 reviewed May 15, 2025
View reviewed changes
Copy link
Contributor

@efd6 efd6 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Test coverage improvements only, then LGTM

packages/faitour/data_stream/honeypot/elasticsearch/ingest_pipeline/default.yml
##############################
## Handle ECS Server Fields ##
##############################
- rename:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Add a test sample event to test this processor.

Copy link
Contributor Author

@MakoWish MakoWish May 16, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I could have sworn the pipeline tests passed before with both the faitour.honeypot and faitour.application datastreams when I had too many test events, but now that I am trying to add a test event that would be in the faitour.application datastream for this, the pipeline tests are failing with:

FAILURE DETAILS:
faitour/honeypot test-events.log:
[0] field "event.dataset" should have value in ["faitour.honeypot"], it has "faitour.application"
[1] parsing field value failed: field "event.dataset"'s value "faitour.application" does not match the declared constant_keyword value "faitour.honeypot"

I don't want two separate logs in my application, but I do want events related to the application distinguishable from activity against the honeypot in Elastic. I tried removing the event.dataset field declaration from base-fields.yml, and that handled the error [1], but it still gives the same error [0].

How can I add an event for data_stream.dataset: faitour.application into the test events and get around this? The events do get parsed properly.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How can I add an event for data_stream.dataset: faitour.application into the test events and get around this?

If you want to do something like this you will need to route one of them to a different data stream. I'm not sure that this feels like it is worth it; testing in this case is harder (read, "not actually possible at the moment").

Can you tolerate a softer separation between the two types of data?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I will tolerate whatever it takes to not have to completely rewrite my logging, hahaha!

@efd6
Copy link
Contributor

efd6 commented May 18, 2025

/test

@elasticmachine
Copy link

💚 Build Succeeded

History

@elastic-sonarqube Elastic SonarQube
Copy link

Quality Gate failed Quality Gate failed

Failed conditions
47.7% Coverage on New Code (required ≥ 80%)

See analysis details on SonarQube

@botelastic
Copy link

botelastic bot commented Jun 20, 2025

Hi! We just realized that we haven't looked into this PR in a while. We're sorry! We're labeling this issue as Stale to make it hit our filters and make sure we get back to it as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1. Thank you for your contribution!

@botelastic botelastic bot added the Stalled label Jun 20, 2025
@andrewkroh andrewkroh added the documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. label Jul 1, 2025
@botelastic botelastic bot removed the Stalled label Jul 1, 2025
@botelastic
Copy link

botelastic bot commented Jul 31, 2025

Hi! We just realized that we haven't looked into this PR in a while. We're sorry! We're labeling this issue as Stale to make it hit our filters and make sure we get back to it as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1. Thank you for your contribution!

@botelastic botelastic bot added the Stalled label Jul 31, 2025
@botelastic
Copy link

botelastic bot commented Aug 30, 2025

Hi! This PR has been stale for a while and we're going to close it as part of our cleanup procedure. We appreciate your contribution and would like to apologize if we have not been able to review it, due to the current heavy load of the team. Feel free to re-open this PR if you think it should stay open and is worth rebasing. Thank you for your contribution!

@botelastic botelastic bot closed this Aug 30, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@efd6 efd6 efd6 left review comments

Assignees
No one assigned
Labels
documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. New Integration Issue or pull request for creating a new integration package. Stalled Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations]
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@MakoWish @elasticmachine @efd6 @andrewkroh