diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 5a3584ec24d0..b56dbdc765d6 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -17,6 +17,7 @@ https://github.com/elastic/beats/compare/v8.8.1\...main[Check the HEAD diff] - Drop support for Debian 10 and upgrade statically linked glibc from 2.28 to 2.31 {pull}41402[41402] - Fix metrics not being ingested, due to "Limit of total fields [10000] has been exceeded while adding new fields [...]". The total fields limit has been increased to 12500. No significant performance impact on Elasticsearch is anticipated. {pull}41640[41640] - Set default kafka version to 2.1.0 in kafka output and filebeat. {pull}41662[41662] +- Fix templates and docs to use correct `--` version of command line arguments. {issue}42038[42038] {pull}42060[42060] *Auditbeat* diff --git a/NOTICE.txt b/NOTICE.txt index 7968c2b8fd1f..1a6213165679 100644 --- a/NOTICE.txt +++ b/NOTICE.txt @@ -1,5 +1,5 @@ Elastic Beats -Copyright 2014-2024 Elasticsearch BV +Copyright 2014-2025 Elasticsearch BV This product includes software developed by The Apache Software Foundation (http://www.apache.org/). diff --git a/deploy/kubernetes/metricbeat-kubernetes.yaml b/deploy/kubernetes/metricbeat-kubernetes.yaml index 418c902bffc0..0afc6438b65e 100644 --- a/deploy/kubernetes/metricbeat-kubernetes.yaml +++ b/deploy/kubernetes/metricbeat-kubernetes.yaml @@ -295,7 +295,7 @@ spec: args: [ "-c", "/etc/metricbeat.yml", "-e", - "-system.hostfs=/hostfs", + "--system.hostfs=/hostfs", ] env: - name: ELASTICSEARCH_HOST diff --git a/deploy/kubernetes/metricbeat/metricbeat-daemonset.yaml b/deploy/kubernetes/metricbeat/metricbeat-daemonset.yaml index e8c0074be6de..c89dd2b21d39 100644 --- a/deploy/kubernetes/metricbeat/metricbeat-daemonset.yaml +++ b/deploy/kubernetes/metricbeat/metricbeat-daemonset.yaml @@ -25,7 +25,7 @@ spec: args: [ "-c", "/etc/metricbeat.yml", "-e", - "-system.hostfs=/hostfs", + "--system.hostfs=/hostfs", ] env: - name: ELASTICSEARCH_HOST diff --git a/dev-tools/kubernetes/metricbeat/manifest.debug.multi.yaml b/dev-tools/kubernetes/metricbeat/manifest.debug.multi.yaml index 6dd492804c8b..c266335babad 100644 --- a/dev-tools/kubernetes/metricbeat/manifest.debug.multi.yaml +++ b/dev-tools/kubernetes/metricbeat/manifest.debug.multi.yaml @@ -298,7 +298,7 @@ spec: args: [ "-c", "/etc/metricbeat.yml", "-e", - "-system.hostfs=/hostfs", + "--system.hostfs=/hostfs", ] env: - name: ELASTICSEARCH_HOST @@ -403,7 +403,7 @@ spec: args: [ "-c", "/etc/metricbeat.yml", "-e", - "-system.hostfs=/hostfs", + "--system.hostfs=/hostfs", ] ports: - containerPort: 56268 diff --git a/dev-tools/kubernetes/metricbeat/manifest.debug.yaml b/dev-tools/kubernetes/metricbeat/manifest.debug.yaml index 398d7fa85606..7bb9dd963366 100644 --- a/dev-tools/kubernetes/metricbeat/manifest.debug.yaml +++ b/dev-tools/kubernetes/metricbeat/manifest.debug.yaml @@ -298,7 +298,7 @@ spec: args: [ "-c", "/etc/metricbeat.yml", "-e", - "-system.hostfs=/hostfs", + "--system.hostfs=/hostfs", ] ports: - containerPort: 56268 diff --git a/dev-tools/kubernetes/metricbeat/manifest.run.yaml b/dev-tools/kubernetes/metricbeat/manifest.run.yaml index 21c9727d45ef..6b42510754e8 100644 --- a/dev-tools/kubernetes/metricbeat/manifest.run.yaml +++ b/dev-tools/kubernetes/metricbeat/manifest.run.yaml @@ -298,7 +298,7 @@ spec: args: [ "-c", "/etc/metricbeat.yml", "-e", - "-system.hostfs=/hostfs", + "--system.hostfs=/hostfs", ] env: - name: ELASTICSEARCH_HOST diff --git a/dev-tools/mage/pkg.go b/dev-tools/mage/pkg.go index 53783b29553a..757f857265f4 100644 --- a/dev-tools/mage/pkg.go +++ b/dev-tools/mage/pkg.go @@ -172,7 +172,6 @@ func prepareIronbankBuild() error { } return nil }) - if err != nil { return fmt.Errorf("cannot create templates for the IronBank: %w", err) } @@ -206,7 +205,7 @@ func saveIronbank() error { distributionsDir := "build/distributions" if _, err := os.Stat(distributionsDir); os.IsNotExist(err) { - err := os.MkdirAll(distributionsDir, 0750) + err := os.MkdirAll(distributionsDir, 0o750) if err != nil { return fmt.Errorf("cannot create folder for docker artifacts: %w", err) } @@ -348,9 +347,7 @@ func TestPackages(options ...TestPackagesOption) error { args = append(args, "-files", MustExpand("{{.PWD}}/build/distributions/*")) if out, err := goTest(args...); err != nil { - if !mg.Verbose() { - fmt.Println(out) - } + fmt.Println(out) return err } diff --git a/dev-tools/packaging/package_test.go b/dev-tools/packaging/package_test.go index cad23aec9e87..6a9a72a8facd 100644 --- a/dev-tools/packaging/package_test.go +++ b/dev-tools/packaging/package_test.go @@ -26,7 +26,9 @@ import ( "bufio" "bytes" "compress/gzip" + "context" "encoding/json" + "errors" "flag" "fmt" "io" @@ -36,18 +38,20 @@ import ( "slices" "strings" "testing" - - "errors" + "time" "github.com/blakesmith/ar" rpm "github.com/cavaliergopher/rpm" + "github.com/docker/docker/api/types/container" + "github.com/docker/docker/api/types/strslice" + "github.com/docker/docker/client" ) const ( - expectedConfigMode = os.FileMode(0600) - expectedManifestMode = os.FileMode(0644) + expectedConfigMode = os.FileMode(0o600) + expectedManifestMode = os.FileMode(0o644) expectedModuleFileMode = expectedManifestMode - expectedModuleDirMode = os.FileMode(0755) + expectedModuleDirMode = os.FileMode(0o755) ) var ( @@ -234,15 +238,15 @@ func checkDocker(t *testing.T, file string) { t.Errorf("error reading file %v: %v", file, err) return } - checkDockerEntryPoint(t, p, info) checkDockerLabels(t, p, info, file) checkDockerUser(t, p, info, *rootUserContainer) - checkConfigPermissionsWithMode(t, p, os.FileMode(0644)) - checkManifestPermissionsWithMode(t, p, os.FileMode(0644)) + checkConfigPermissionsWithMode(t, p, os.FileMode(0o644)) + checkManifestPermissionsWithMode(t, p, os.FileMode(0o644)) checkModulesPresent(t, "", p) checkModulesDPresent(t, "", p) checkLicensesPresent(t, "licenses/", p) + checkDockerImageRun(t, p, file) } // Verify that the main configuration file is installed with a 0600 file mode. @@ -356,7 +360,7 @@ func checkModulesOwner(t *testing.T, p *packageFile, expectRoot bool) { // Verify that the systemd unit file has a mode of 0644. It should not be // executable. func checkSystemdUnitPermissions(t *testing.T, p *packageFile) { - const expectedMode = os.FileMode(0644) + const expectedMode = os.FileMode(0o644) t.Run(p.Name+" systemd unit file permissions", func(t *testing.T) { for _, entry := range p.Contents { if systemdUnitFilePattern.MatchString(entry.File) { @@ -443,7 +447,7 @@ func checkLicensesPresent(t *testing.T, prefix string, p *packageFile) { } func checkDockerEntryPoint(t *testing.T, p *packageFile, info *dockerInfo) { - expectedMode := os.FileMode(0755) + expectedMode := os.FileMode(0o755) t.Run(fmt.Sprintf("%s entrypoint", p.Name), func(t *testing.T) { if len(info.Config.Entrypoint) == 0 { @@ -511,6 +515,111 @@ func checkDockerUser(t *testing.T, p *packageFile, info *dockerInfo, expectRoot }) } +func checkDockerImageRun(t *testing.T, p *packageFile, imagePath string) { + t.Run(fmt.Sprintf("%s check docker images runs", p.Name), func(t *testing.T) { + var ctx context.Context + dl, ok := t.Deadline() + if !ok { + ctx = context.Background() + } else { + c, cancel := context.WithDeadline(context.Background(), dl) + ctx = c + defer cancel() + } + f, err := os.Open(imagePath) + if err != nil { + t.Fatalf("failed to open docker image %q: %s", imagePath, err) + } + defer f.Close() + + c, err := client.NewClientWithOpts(client.FromEnv, client.WithAPIVersionNegotiation()) + if err != nil { + t.Fatalf("failed to get a Docker client: %s", err) + } + + loadResp, err := c.ImageLoad(ctx, f, true) + if err != nil { + t.Fatalf("error loading docker image: %s", err) + } + + loadRespBody, err := io.ReadAll(loadResp.Body) + if err != nil { + t.Fatalf("failed to read image load response: %s", err) + } + loadResp.Body.Close() + + _, after, found := strings.Cut(string(loadRespBody), "Loaded image: ") + if !found { + t.Fatalf("image load response was unexpected: %s", string(loadRespBody)) + } + imageId := strings.TrimRight(after, "\\n\"}\r\n") + + var caps strslice.StrSlice + if strings.Contains(imageId, "packetbeat") { + caps = append(caps, "NET_ADMIN") + } + + createResp, err := c.ContainerCreate(ctx, + &container.Config{ + Image: imageId, + }, + &container.HostConfig{ + CapAdd: caps, + }, + nil, + nil, + "") + if err != nil { + t.Fatalf("error creating container from image: %s", err) + } + defer func() { + err := c.ContainerRemove(ctx, createResp.ID, container.RemoveOptions{Force: true}) + if err != nil { + t.Errorf("error removing container: %s", err) + } + }() + + err = c.ContainerStart(ctx, createResp.ID, container.StartOptions{}) + if err != nil { + t.Fatalf("failed to start container: %s", err) + } + defer func() { + err := c.ContainerStop(ctx, createResp.ID, container.StopOptions{}) + if err != nil { + t.Errorf("error stopping container: %s", err) + } + }() + + timer := time.NewTimer(15 * time.Second) + defer timer.Stop() + ticker := time.NewTicker(2 * time.Second) + defer ticker.Stop() + + var logs []byte + sentinelLog := "Beat ID: " + for { + select { + case <-timer.C: + t.Fatalf("never saw %q within timeout\nlogs:\n%s", sentinelLog, string(logs)) + return + case <-ticker.C: + out, err := c.ContainerLogs(ctx, createResp.ID, container.LogsOptions{ShowStdout: true, ShowStderr: true}) + if err != nil { + t.Logf("could not get logs: %s", err) + } + logs, err = io.ReadAll(out) + out.Close() + if err != nil { + t.Logf("error reading logs: %s", err) + } + if bytes.Contains(logs, []byte(sentinelLog)) { + return + } + } + } + }) +} + // ensureNoBuildIDLinks checks for regressions related to // https://github.com/elastic/beats/issues/12956. func ensureNoBuildIDLinks(t *testing.T, p *packageFile) { diff --git a/dev-tools/packaging/templates/docker/Dockerfile.tmpl b/dev-tools/packaging/templates/docker/Dockerfile.tmpl index d5696e9fa0e1..1643e308c9a3 100644 --- a/dev-tools/packaging/templates/docker/Dockerfile.tmpl +++ b/dev-tools/packaging/templates/docker/Dockerfile.tmpl @@ -244,4 +244,4 @@ ENV LIBBEAT_MONITORING_CGROUPS_HIERARCHY_OVERRIDE=/ WORKDIR {{ $beatHome }} ENTRYPOINT ["/usr/bin/tini", "--", "/usr/local/bin/docker-entrypoint"] -CMD ["-environment", "container"] +CMD ["--environment", "container"] diff --git a/dev-tools/packaging/templates/ironbank/auditbeat/Dockerfile b/dev-tools/packaging/templates/ironbank/auditbeat/Dockerfile index 893e84d57e36..387b1c4f4f14 100644 --- a/dev-tools/packaging/templates/ironbank/auditbeat/Dockerfile +++ b/dev-tools/packaging/templates/ironbank/auditbeat/Dockerfile @@ -80,7 +80,7 @@ ENV ELASTIC_PRODUCT=${ELASTIC_PRODUCT} # TODO: eventually /tinit will be replaced by /usr/bin/tini ENTRYPOINT ["/tinit", "--", "/usr/share/auditbeat/auditbeat", "-E", "http.enabled=true", "-E", "http.host=unix:///usr/share/auditbeat/data/auditbeat.sock"] -CMD ["-environment", "container"] +CMD ["--environment", "container"] # see https://www.elastic.co/guide/en/beats/auditbeat/current/http-endpoint.html HEALTHCHECK --interval=10s --timeout=5s --start-period=1m --retries=5 CMD curl -I -f --max-time 5 --unix-socket '/usr/share/auditbeat/data/auditbeat.sock' 'http:/stats?pretty' diff --git a/dev-tools/packaging/templates/ironbank/filebeat/Dockerfile b/dev-tools/packaging/templates/ironbank/filebeat/Dockerfile index dc4f7bb49ea9..5f8b5fafb652 100644 --- a/dev-tools/packaging/templates/ironbank/filebeat/Dockerfile +++ b/dev-tools/packaging/templates/ironbank/filebeat/Dockerfile @@ -80,7 +80,7 @@ ENV ELASTIC_PRODUCT=${ELASTIC_PRODUCT} # TODO: eventually /tinit will be replaced by /usr/bin/tini ENTRYPOINT ["/tinit", "--", "/usr/share/filebeat/filebeat", "-E", "http.enabled=true", "-E", "http.host=unix:///usr/share/filebeat/data/filebeat.sock"] -CMD ["-environment", "container"] +CMD ["--environment", "container"] # see https://www.elastic.co/guide/en/beats/filebeat/current/http-endpoint.html HEALTHCHECK --interval=10s --timeout=5s --start-period=1m --retries=5 CMD curl -I -f --max-time 5 --unix-socket '/usr/share/filebeat/data/filebeat.sock' 'http:/stats/?pretty' diff --git a/dev-tools/packaging/templates/ironbank/heartbeat/Dockerfile b/dev-tools/packaging/templates/ironbank/heartbeat/Dockerfile index c71357b8478e..b24ce932c3cf 100644 --- a/dev-tools/packaging/templates/ironbank/heartbeat/Dockerfile +++ b/dev-tools/packaging/templates/ironbank/heartbeat/Dockerfile @@ -80,7 +80,7 @@ ENV ELASTIC_PRODUCT=${ELASTIC_PRODUCT} # TODO: eventually /tinit will be replaced by /usr/bin/tini ENTRYPOINT ["/tinit", "--", "/usr/share/heartbeat/heartbeat", "-E", "http.enabled=true", "-E", "http.host=unix:///usr/share/heartbeat/data/heartbeat.sock"] -CMD ["-environment", "container"] +CMD ["--environment", "container"] # see https://www.elastic.co/guide/en/beats/heartbeat/current/http-endpoint.html HEALTHCHECK --interval=10s --timeout=5s --start-period=1m --retries=5 CMD curl -I -f --max-time 5 --unix-socket '/usr/share/heartbeat/data/heartbeat.sock' 'http:/stats/?pretty' diff --git a/dev-tools/packaging/templates/ironbank/metricbeat/Dockerfile b/dev-tools/packaging/templates/ironbank/metricbeat/Dockerfile index cee8fe1fe6fa..e0f832d1ef57 100644 --- a/dev-tools/packaging/templates/ironbank/metricbeat/Dockerfile +++ b/dev-tools/packaging/templates/ironbank/metricbeat/Dockerfile @@ -81,7 +81,7 @@ ENV ELASTIC_PRODUCT=${ELASTIC_PRODUCT} # TODO: eventually /tinit will be replaced by /usr/bin/tini ENTRYPOINT ["/tinit", "--", "/usr/share/metricbeat/metricbeat", "-E", "http.enabled=true", "-E", "http.host=unix:///usr/share/metricbeat/data/metricbeat.sock"] -CMD ["-environment", "container"] +CMD ["--environment", "container"] # see https://www.elastic.co/guide/en/beats/metricbeat/current/http-endpoint.html HEALTHCHECK --interval=10s --timeout=5s --start-period=1m --retries=5 CMD curl -I -f --max-time 5 --unix-socket '/usr/share/metricbeat/data/metricbeat.sock' 'http:/stats/?pretty' diff --git a/dev-tools/packaging/templates/ironbank/packetbeat/Dockerfile b/dev-tools/packaging/templates/ironbank/packetbeat/Dockerfile index e7a025ef6aa0..6d7155c80c06 100644 --- a/dev-tools/packaging/templates/ironbank/packetbeat/Dockerfile +++ b/dev-tools/packaging/templates/ironbank/packetbeat/Dockerfile @@ -82,7 +82,7 @@ ENV ELASTIC_PRODUCT=${ELASTIC_PRODUCT} # TODO: eventually /tinit will be replaced by /usr/bin/tini ENTRYPOINT ["/tinit", "--", "/usr/share/packetbeat/packetbeat", "-E", "http.enabled=true", "-E", "http.host=unix:///usr/share/packetbeat/data/packetbeat.sock"] -CMD ["-environment", "container"] +CMD ["--environment", "container"] # see https://www.elastic.co/guide/en/beats/packetbeat/current/http-endpoint.html HEALTHCHECK --interval=10s --timeout=5s --start-period=1m --retries=5 CMD curl -I -f --max-time 5 --unix-socket '/usr/share/packetbeat/data/packetbeat.sock' 'http:/stats/?pretty' diff --git a/filebeat/tests/open-file-handlers/run.sh b/filebeat/tests/open-file-handlers/run.sh index 4554660ab2f8..1bcc545391d0 100644 --- a/filebeat/tests/open-file-handlers/run.sh +++ b/filebeat/tests/open-file-handlers/run.sh @@ -1,3 +1,3 @@ /etc/init.d/metricbeat start cd /filebeat -./filebeat -httpprof :6060 +./filebeat --httpprof :6060 diff --git a/libbeat/asset/registry.go b/libbeat/asset/registry.go index 99fc1a7dba09..fe34971c995a 100644 --- a/libbeat/asset/registry.go +++ b/libbeat/asset/registry.go @@ -21,8 +21,9 @@ import ( "bytes" "compress/zlib" "encoding/base64" - "io/ioutil" "sort" + + "github.com/elastic/elastic-agent-libs/iobuf" ) // FieldsRegistry contains a list of fields.yml files @@ -106,7 +107,6 @@ func EncodeData(data string) (string, error) { // DecodeData base64 decodes the data and uncompresses it func DecodeData(data string) ([]byte, error) { - decoded, err := base64.StdEncoding.DecodeString(data) if err != nil { return nil, err @@ -119,5 +119,5 @@ func DecodeData(data string) ([]byte, error) { } defer r.Close() - return ioutil.ReadAll(r) + return iobuf.ReadAll(r) } diff --git a/libbeat/docs/command-reference.asciidoc b/libbeat/docs/command-reference.asciidoc index 4766152f39fd..b869d7e4956c 100644 --- a/libbeat/docs/command-reference.asciidoc +++ b/libbeat/docs/command-reference.asciidoc @@ -926,7 +926,7 @@ messages. *`-e, --e`*:: Logs to stderr and disables syslog/file output. -*`-environment`*:: +*`--environment`*:: For logging purposes, specifies the environment that {beatname_uc} is running in. This setting is used to select a default log output when no log output is configured. Supported values are: `systemd`, `container`, `macos_service`, and `windows_service`. diff --git a/libbeat/tests/system/requirements.txt b/libbeat/tests/system/requirements.txt index 00f3914d1a4b..edf7f66093c3 100644 --- a/libbeat/tests/system/requirements.txt +++ b/libbeat/tests/system/requirements.txt @@ -10,7 +10,7 @@ backports.ssl-match-hostname==3.5.0.1 bcrypt==4.1.2 cached-property==1.4.2 certifi==2024.7.4 -cffi==1.16.0 +cffi==1.17.1 chardet==3.0.4 charset-normalizer==3.3.2 cryptography==43.0.1 @@ -24,7 +24,7 @@ elasticsearch==7.8.1 enum34==1.1.6 exceptiongroup==1.2.0 googleapis-common-protos==1.56.4 -grpcio==1.60.0 +grpcio==1.68.1 idna==3.7 importlib-metadata==1.7.0 iniconfig==1.0.1 diff --git a/metricbeat/docs/running-on-docker.asciidoc b/metricbeat/docs/running-on-docker.asciidoc index 26ba27658b8f..da012b2eb556 100644 --- a/metricbeat/docs/running-on-docker.asciidoc +++ b/metricbeat/docs/running-on-docker.asciidoc @@ -22,7 +22,7 @@ docker run \ --env DBUS_SYSTEM_BUS_ADDRESS='unix:path=/hostfs/var/run/dbus/system_bus_socket' \ <4> --net=host \ <5> --cgroupns=host \ <6> - {dockerimage} -e -system.hostfs=/hostfs + {dockerimage} -e --system.hostfs=/hostfs ---- <1> Metricbeat's <> collects much of its data through the Linux proc diff --git a/metricbeat/module/kubernetes/_meta/remote-debugger/README.md b/metricbeat/module/kubernetes/_meta/remote-debugger/README.md index cdebbe225c2a..a62eca2a051b 100644 --- a/metricbeat/module/kubernetes/_meta/remote-debugger/README.md +++ b/metricbeat/module/kubernetes/_meta/remote-debugger/README.md @@ -72,7 +72,7 @@ containers: args: [ "-c", "/etc/metricbeat.yml", "-e", - "-system.hostfs=/hostfs", + "--system.hostfs=/hostfs", ] ports: - containerPort: 56268 diff --git a/x-pack/filebeat/fbreceiver/receiver_test.go b/x-pack/filebeat/fbreceiver/receiver_test.go index 3bbdc1690ea2..7da5c24f0adf 100644 --- a/x-pack/filebeat/fbreceiver/receiver_test.go +++ b/x-pack/filebeat/fbreceiver/receiver_test.go @@ -11,6 +11,7 @@ import ( "time" "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" "go.opentelemetry.io/collector/consumer" "go.opentelemetry.io/collector/pdata/plog" "go.opentelemetry.io/collector/receiver" @@ -89,3 +90,47 @@ found: err = r.Shutdown(context.Background()) assert.NoError(t, err, "Error shutting down filebeatreceiver") } + +func BenchmarkFactory(b *testing.B) { + tmpDir := b.TempDir() + + cfg := &Config{ + Beatconfig: map[string]interface{}{ + "filebeat": map[string]interface{}{ + "inputs": []map[string]interface{}{ + { + "type": "benchmark", + "enabled": true, + "message": "test", + "count": 10, + }, + }, + }, + "output": map[string]interface{}{ + "otelconsumer": map[string]interface{}{}, + }, + "logging": map[string]interface{}{ + "level": "debug", + "selectors": []string{ + "*", + }, + }, + "path.home": tmpDir, + }, + } + + var zapLogs bytes.Buffer + core := zapcore.NewCore( + zapcore.NewJSONEncoder(zap.NewProductionEncoderConfig()), + zapcore.AddSync(&zapLogs), + zapcore.DebugLevel) + + receiverSettings := receiver.Settings{} + receiverSettings.Logger = zap.New(core) + + b.ResetTimer() + for i := 0; i < b.N; i++ { + _, err := NewFactory().CreateLogs(context.Background(), receiverSettings, cfg, nil) + require.NoError(b, err) + } +} diff --git a/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json index 256cb7f997bf..914a4645c379 100644 --- a/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json @@ -181,12 +181,12 @@ "event.code": 609002, "event.dataset": "cisco.asa", "event.duration": 0, - "event.end": "2024-05-05T17:51:17.000-02:00", + "event.end": "2025-05-05T17:51:17.000-02:00", "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-7-609002: Teardown local-host net:192.168.2.2 duration 0:00:00", "event.severity": 7, - "event.start": "2024-05-05T19:51:17.000Z", + "event.start": "2025-05-05T19:51:17.000Z", "event.timezone": "-02:00", "event.type": [ "connection", @@ -701,12 +701,12 @@ "event.code": 609002, "event.dataset": "cisco.asa", "event.duration": 0, - "event.end": "2024-05-05T18:24:31.000-02:00", + "event.end": "2025-05-05T18:24:31.000-02:00", "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-7-609002: Teardown local-host identity:10.10.10.10 duration 0:00:00", "event.severity": 7, - "event.start": "2024-05-05T20:24:31.000Z", + "event.start": "2025-05-05T20:24:31.000Z", "event.timezone": "-02:00", "event.type": [ "connection", @@ -849,13 +849,13 @@ "event.code": 302014, "event.dataset": "cisco.asa", "event.duration": 0, - "event.end": "2024-05-05T18:29:32.000-02:00", + "event.end": "2025-05-05T18:29:32.000-02:00", "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302014: Teardown TCP connection 2960892904 for out111:10.10.10.10/443 to fw111:192.168.2.2/55225 duration 0:00:00 bytes 0 TCP Reset-I", "event.reason": "TCP Reset-I", "event.severity": 6, - "event.start": "2024-05-05T20:29:32.000Z", + "event.start": "2025-05-05T20:29:32.000Z", "event.timezone": "-02:00", "event.type": [ "connection", @@ -966,12 +966,12 @@ "event.code": 305012, "event.dataset": "cisco.asa", "event.duration": 0, - "event.end": "2024-05-05T18:29:32.000-02:00", + "event.end": "2025-05-05T18:29:32.000-02:00", "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-305012: Teardown dynamic UDP translation from fw111:10.10.10.10/54230 to out111:192.168.2.2/54230 duration 0:00:00", "event.severity": 6, - "event.start": "2024-05-05T20:29:32.000Z", + "event.start": "2025-05-05T20:29:32.000Z", "event.timezone": "-02:00", "event.type": [ "connection", @@ -1175,12 +1175,12 @@ "event.code": 302016, "event.dataset": "cisco.asa", "event.duration": 124000000000, - "event.end": "2024-05-05T18:40:50.000-02:00", + "event.end": "2025-05-05T18:40:50.000-02:00", "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-2-302016: Teardown UDP connection 1671727 for intfacename:10.10.10.10/161 to net:192.186.2.2/53356 duration 0:02:04 bytes 64585", "event.severity": 2, - "event.start": "2024-05-05T20:38:46.000Z", + "event.start": "2025-05-05T20:38:46.000Z", "event.timezone": "-02:00", "event.type": [ "connection", @@ -1812,13 +1812,13 @@ "event.code": 302023, "event.dataset": "cisco.asa", "event.duration": 0, - "event.end": "2024-05-05T19:02:58.000-02:00", + "event.end": "2025-05-05T19:02:58.000-02:00", "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302023: Teardown stub TCP connection for fw111:10.10.10.10/39210 to net:192.168.2.2/10051 duration 0:00:00 forwarded bytes 0 Cluster flow with CLU closed on owner", "event.reason": "Cluster flow with CLU closed on owner", "event.severity": 6, - "event.start": "2024-05-05T21:02:58.000Z", + "event.start": "2025-05-05T21:02:58.000Z", "event.timezone": "-02:00", "event.type": [ "info" @@ -1868,13 +1868,13 @@ "event.code": 302023, "event.dataset": "cisco.asa", "event.duration": 0, - "event.end": "2024-05-05T19:02:58.000-02:00", + "event.end": "2025-05-05T19:02:58.000-02:00", "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302023: Teardown stub TCP connection for net:10.10.10.10/10051 to unknown:192.168.2.2/39222 duration 0:00:00 forwarded bytes 0 Forwarding or redirect flow removed to create director or backup flow", "event.reason": "Forwarding or redirect flow removed to create director or backup flow", "event.severity": 6, - "event.start": "2024-05-05T21:02:58.000Z", + "event.start": "2025-05-05T21:02:58.000Z", "event.timezone": "-02:00", "event.type": [ "info" @@ -2687,13 +2687,13 @@ "event.code": 302304, "event.dataset": "cisco.asa", "event.duration": 3602000000000, - "event.end": "2024-04-27T04:12:23.000-02:00", + "event.end": "2025-04-27T04:12:23.000-02:00", "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302304: Teardown TCP state-bypass connection 2751765169 from server.deflan:81.2.69.143/54242 to server.deflan:67.43.156.12/9101 duration 1:00:02 bytes 245 Connection timeout", "event.reason": "Connection timeout", "event.severity": 6, - "event.start": "2024-04-27T05:12:21.000Z", + "event.start": "2025-04-27T05:12:21.000Z", "event.timezone": "-02:00", "event.type": [ "connection", @@ -3227,13 +3227,13 @@ "event.code": 113019, "event.dataset": "cisco.asa", "event.duration": 1936000000000, - "event.end": "2024-04-27T02:03:03.000-02:00", + "event.end": "2025-04-27T02:03:03.000-02:00", "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-113019: Group = 81.2.69.143, Username = 81.2.69.143, IP = 81.2.69.143, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:32m:16s, Bytes xmt: 297103, Bytes rcv: 1216163, Reason: User Requested", "event.reason": "User Requested", "event.severity": 4, - "event.start": "2024-04-27T03:30:47.000Z", + "event.start": "2025-04-27T03:30:47.000Z", "event.timezone": "-02:00", "event.type": [ "info" diff --git a/x-pack/filebeat/module/cisco/asa/test/non-canonical.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/non-canonical.log-expected.json index d7c455136e2f..c7975c79e2ca 100644 --- a/x-pack/filebeat/module/cisco/asa/test/non-canonical.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/non-canonical.log-expected.json @@ -361,12 +361,12 @@ "event.code": 305012, "event.dataset": "cisco.asa", "event.duration": 41000000000, - "event.end": "2024-07-15T13:38:47.000-02:00", + "event.end": "2025-07-15T13:38:47.000-02:00", "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-305012: Teardown dynamic UDP translation from SERVERS:exp-wait/62409 to outside:81.2.69.142/62409 duration 0:00:41", "event.severity": 6, - "event.start": "2024-07-15T15:38:06.000Z", + "event.start": "2025-07-15T15:38:06.000Z", "event.timezone": "-02:00", "event.type": [ "connection", @@ -423,12 +423,12 @@ "event.code": 305012, "event.dataset": "cisco.asa", "event.duration": 30000000000, - "event.end": "2024-07-15T13:37:33.000-02:00", + "event.end": "2025-07-15T13:37:33.000-02:00", "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-305012: Teardown dynamic UDP translation from SERVERS:exp-wait/56421 to outside:81.2.69.142/56421 duration 0:00:30", "event.severity": 6, - "event.start": "2024-07-15T15:37:03.000Z", + "event.start": "2025-07-15T15:37:03.000Z", "event.timezone": "-02:00", "event.type": [ "connection", diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/288_auto_clear_users_history_start.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/288_auto_clear_users_history_start.log-expected.json index fb3cfbbb9cb5..fedbb0ab9460 100644 --- a/x-pack/filebeat/module/cyberarkpas/audit/test/288_auto_clear_users_history_start.log-expected.json +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/288_auto_clear_users_history_start.log-expected.json @@ -38,7 +38,7 @@ ] }, { - "@timestamp": "2024-03-08T03:00:20.000-02:00", + "@timestamp": "2025-03-08T03:00:20.000-02:00", "cyberarkpas.audit.action": "Auto Clear Users History start", "cyberarkpas.audit.desc": "Auto Clear Users History start", "cyberarkpas.audit.issuer": "Batch", diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/289_auto_clear_users_history_end.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/289_auto_clear_users_history_end.log-expected.json index 9ad5b886c6ca..270efd699732 100644 --- a/x-pack/filebeat/module/cyberarkpas/audit/test/289_auto_clear_users_history_end.log-expected.json +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/289_auto_clear_users_history_end.log-expected.json @@ -38,7 +38,7 @@ ] }, { - "@timestamp": "2024-03-08T03:00:20.000-02:00", + "@timestamp": "2025-03-08T03:00:20.000-02:00", "cyberarkpas.audit.action": "Auto Clear Users History end", "cyberarkpas.audit.desc": "Auto Clear Users History end", "cyberarkpas.audit.issuer": "Batch", diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/310_monitor_dr_replication_start.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/310_monitor_dr_replication_start.log-expected.json index 9d813f639d65..d2d5e390dde0 100644 --- a/x-pack/filebeat/module/cyberarkpas/audit/test/310_monitor_dr_replication_start.log-expected.json +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/310_monitor_dr_replication_start.log-expected.json @@ -38,7 +38,7 @@ ] }, { - "@timestamp": "2024-03-08T02:48:07.000-02:00", + "@timestamp": "2025-03-08T02:48:07.000-02:00", "cyberarkpas.audit.action": "Monitor DR Replication start", "cyberarkpas.audit.desc": "Monitor DR Replication start", "cyberarkpas.audit.issuer": "Batch", diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/311_monitor_dr_replication_end.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/311_monitor_dr_replication_end.log-expected.json index ee767935d3b0..ccdcc1546f06 100644 --- a/x-pack/filebeat/module/cyberarkpas/audit/test/311_monitor_dr_replication_end.log-expected.json +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/311_monitor_dr_replication_end.log-expected.json @@ -38,7 +38,7 @@ ] }, { - "@timestamp": "2024-03-08T02:48:07.000-02:00", + "@timestamp": "2025-03-08T02:48:07.000-02:00", "cyberarkpas.audit.action": "Monitor DR Replication end", "cyberarkpas.audit.desc": "Monitor DR Replication end", "cyberarkpas.audit.issuer": "Batch", diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/357_monitor_fw_rules_start.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/357_monitor_fw_rules_start.log-expected.json index 2943356268b9..73692aa9b6c8 100644 --- a/x-pack/filebeat/module/cyberarkpas/audit/test/357_monitor_fw_rules_start.log-expected.json +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/357_monitor_fw_rules_start.log-expected.json @@ -38,7 +38,7 @@ ] }, { - "@timestamp": "2024-03-08T02:32:56.000-02:00", + "@timestamp": "2025-03-08T02:32:56.000-02:00", "cyberarkpas.audit.action": "Monitor FW rules start", "cyberarkpas.audit.desc": "Monitor FW rules start", "cyberarkpas.audit.issuer": "Batch", diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/358_monitor_fw_rules_end.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/358_monitor_fw_rules_end.log-expected.json index bed2becb5d42..4ad89388da98 100644 --- a/x-pack/filebeat/module/cyberarkpas/audit/test/358_monitor_fw_rules_end.log-expected.json +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/358_monitor_fw_rules_end.log-expected.json @@ -38,7 +38,7 @@ ] }, { - "@timestamp": "2024-03-08T02:32:56.000-02:00", + "@timestamp": "2025-03-08T02:32:56.000-02:00", "cyberarkpas.audit.action": "Monitor FW Rules end", "cyberarkpas.audit.desc": "Monitor FW Rules end", "cyberarkpas.audit.issuer": "Batch", diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/479_security_warning_the_signature_hash_algorithm_of_the_vault_certificate_is_sha1.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/479_security_warning_the_signature_hash_algorithm_of_the_vault_certificate_is_sha1.log-expected.json index bb66629fa39b..5ee1cc82cc63 100644 --- a/x-pack/filebeat/module/cyberarkpas/audit/test/479_security_warning_the_signature_hash_algorithm_of_the_vault_certificate_is_sha1.log-expected.json +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/479_security_warning_the_signature_hash_algorithm_of_the_vault_certificate_is_sha1.log-expected.json @@ -39,7 +39,7 @@ ] }, { - "@timestamp": "2024-03-08T07:46:54.000-02:00", + "@timestamp": "2025-03-08T07:46:54.000-02:00", "cyberarkpas.audit.action": "Security warning - The Signature Hash Algorithm of the Vault certificate is SHA1.", "cyberarkpas.audit.desc": "Security warning - The Signature Hash Algorithm of the Vault certificate is SHA1.", "cyberarkpas.audit.issuer": "Builtin", diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/59_clear_safe_history.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/59_clear_safe_history.log-expected.json index ef8f8d42bb26..78401fbbc56b 100644 --- a/x-pack/filebeat/module/cyberarkpas/audit/test/59_clear_safe_history.log-expected.json +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/59_clear_safe_history.log-expected.json @@ -39,7 +39,7 @@ ] }, { - "@timestamp": "2024-03-08T03:10:31.000-02:00", + "@timestamp": "2025-03-08T03:10:31.000-02:00", "cyberarkpas.audit.action": "Clear Safe History", "cyberarkpas.audit.desc": "Clear Safe History", "cyberarkpas.audit.issuer": "PasswordManager", diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/88_set_password.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/88_set_password.log-expected.json index 65ec1710d275..d7bb8fce24bc 100644 --- a/x-pack/filebeat/module/cyberarkpas/audit/test/88_set_password.log-expected.json +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/88_set_password.log-expected.json @@ -76,7 +76,7 @@ ] }, { - "@timestamp": "2024-03-08T02:54:46.000-02:00", + "@timestamp": "2025-03-08T02:54:46.000-02:00", "cyberarkpas.audit.action": "Set Password", "cyberarkpas.audit.desc": "Set Password", "cyberarkpas.audit.issuer": "PVWAGWUser", diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/legacysyslog.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/legacysyslog.log-expected.json index 439a5355e95b..69238d2b69a9 100644 --- a/x-pack/filebeat/module/cyberarkpas/audit/test/legacysyslog.log-expected.json +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/legacysyslog.log-expected.json @@ -1,6 +1,6 @@ [ { - "@timestamp": "2024-03-08T03:41:01.000-02:00", + "@timestamp": "2025-03-08T03:41:01.000-02:00", "cyberarkpas.audit.action": "Retrieve File", "cyberarkpas.audit.desc": "Retrieve File", "cyberarkpas.audit.file": "Root\\Policies\\Policy-BusinessWebsite.ini", diff --git a/x-pack/filebeat/module/microsoft/m365_defender/test/m365_defender-test.ndjson.log-expected.json b/x-pack/filebeat/module/microsoft/m365_defender/test/m365_defender-test.ndjson.log-expected.json index f08a15e75c4b..ef069239d23b 100644 --- a/x-pack/filebeat/module/microsoft/m365_defender/test/m365_defender-test.ndjson.log-expected.json +++ b/x-pack/filebeat/module/microsoft/m365_defender/test/m365_defender-test.ndjson.log-expected.json @@ -674,7 +674,7 @@ "microsoft.m365_defender.alerts.detectionSource": "WindowsDefenderAv", "microsoft.m365_defender.alerts.devices": [ { - "deviceDnsName": "TestServer4", + "deviceDnsName": "TestServer5", "firstSeen": "2020-06-30T08:55:08.8320449Z", "healthStatus": "Inactive", "mdatpDeviceId": "75a63a39f9bc5a964f417c11f6277d5bf9489f0d", @@ -686,7 +686,7 @@ "version": "Other" }, { - "deviceDnsName": "TestServer5", + "deviceDnsName": "TestServer4", "firstSeen": "2020-06-30T08:55:08.8320449Z", "healthStatus": "Inactive", "mdatpDeviceId": "75a63a39f9bc5a964f417c11f6277d5bf9489f0d", diff --git a/x-pack/filebeat/module/mysqlenterprise/audit/test/mysql_audit_test.log-expected.json b/x-pack/filebeat/module/mysqlenterprise/audit/test/mysql_audit_test.log-expected.json index e8fbe0e1d659..d6873710c143 100644 --- a/x-pack/filebeat/module/mysqlenterprise/audit/test/mysql_audit_test.log-expected.json +++ b/x-pack/filebeat/module/mysqlenterprise/audit/test/mysql_audit_test.log-expected.json @@ -19,11 +19,11 @@ "mysqlenterprise.audit.connection_id": 0, "mysqlenterprise.audit.id": 0, "process.args": [ - "--log-error=log.err", + "/usr/local/mysql/bin/mysqld", "--loose-audit-log-format=JSON", + "--log-error=log.err", "--pid-file=mysqld.pid", - "--port=3306", - "/usr/local/mysql/bin/mysqld" + "--port=3306" ], "process.args_count": 5, "process.command_line": "/usr/local/mysql/bin/mysqld --loose-audit-log-format=JSON --log-error=log.err --pid-file=mysqld.pid --port=3306",