OpenCanary update, resolves multiple issues

[colin-stubbs]

• Bug
• Enhancement

Proposed commit message

Resolves issues #12911, #13024, #13025. Relevant to resolution of #2518.

Checklist

• I have reviewed tips for building integrations and this pull request is aligned with them.
• I have verified that all data streams collect metrics or logs.
• I have added an entry to my package's changelog.yml file.
• I have verified that Kibana version constraints are current according to guidelines.
• I have verified that any added dashboard complies with Kibana's Dashboard good practices

Author's Checklist

Resolves multiple issues:

• Only set event.kind == alert if event is clearly not a generic application log message
• Migrate logfile to filestream based filebeat configuration
• Add http_endpoint for webhook based ingest
• Add system tests for both filestream and http_endpoint as none currently exist.
• Add pipeline test for webhook'ed events
• Retain password fields if desired, e.g. only remove password field if redaction requested. The current behaviour always removes passwords.
• Provide option to remove or retain ECS mapped fields, currently this option does not exist and ECS mapped fields are always removed.
• Add dashboard and dashboard screenshot. Currently not included in integration.
• Fix confused tftp/vnc field names. This is a typeo/bug due to lack of sufficient sample logs for pipeline or system testing.
• Add more complete/wider variety of sample logs for testing, e.g. TFTP & VNC events, NTP events, SNMP events etc
• Define appropriate fields based on more complete/wider variety of sample logs
• Fix as yet unknown logtype handling, e.g. current ingest pipeline script allows the logtype integer value to be left in a field defined as keyword leading to type conflicts and incomplete search results.
• Update known logtype map based on latest opencanary repo code. Current list is not up to date with opencanary code.

Testing:

• elastic-package lint && check && build
• elastic-package test system --generate
• elastic-package test pipeline --generate
• elastic-package test
• Manual deploy on local elastic-package managed stack and ingest of logfile
• Manual deploy on remote Elastic Cloud stack and ingest of webhooks from real opencanary honeypots

How to test this PR locally

Install and operate OpenCanary, ideally via docker.
Use Elastic Agent to ingest OpenCanary log file OR webhooks.
Scan OpenCanary with nmap with scripting to trigger events, e.g. nmap -sC 127.0.0.1
Review

Related issues

• Closes [opencanary]: Sets all log message event.kind == alert leading to unwanted alert noise in Elastic Security #12911
• Closes [opencanary]: Add http_endpoint to support OpenCanary webhook output #13024
• Closes [opencanary]: Various bug fixes / enhancements #13025
• Relates Migrate uses of the logfile input to filestream #2518

Screenshots

New basic summary dashboard added,

[efd6]

Why are we sending both event and json.message?

[colin-stubbs]

Because that's what http_endpoint does for JSON payloads when preserve_original_event: true is set...

In the case of OpenCanary's native webhooks capability and minimal/default exampled config, it's JSON payload is literally {"message":"{\"another\":\"json text string that contains the real event\"}}"

I suspect it's internal code is really just reading the text file it produces and reading it line by line as message in it's internal event representation then encoding that as JSON and sending it off to the given URL... very similar to how fluentd works if you don't specifically instruct it to parse the line as JSON or send the actual message content only.

[efd6]

OK, thanks.

[efd6]

Add final new line.

[colin-stubbs]

So we've been here before @efd6 ...

1. This does not affect functionality in any way shape or form.
2. This does not affect viewing/editing functionality for anyone.
3. This does not violate yaml or the handlebars template standard/definition.
4. elastic-package does not identify this as an issue.

If this kind of thing is actually a problem elastic-package should identify it, and ideally fix it automatically via elastic-package format.

What's the actual problem here?
How are you even identifying these?

[efd6]

The problem is noise in the git log. For your points, I agree with 3 and 4. 1 and 2 depend on the definition of "functionality" and I don't agree when I use my definition of that (which includes maintenance, not just whether the code works).

You can see the absence marked in git logs and in the GH rendering of diffs (e.g. here for this particular case — showing up as a red circle with a red dash in the middle). It can also be seen in an editor by virtue of the absence of a new line in the rendered text (when I'm reviewing code I'll often pull the branch and experiment with changes, so I see them then).

I agree, this kind of thing should be handled by either ep or (as is the case with beats) by using an .editorconfig file.

[colin-stubbs]

Sure... but even elastic-package generates files like this... you can see it with sample event.json files and even the Kibana assets...

The entire integrations repo will be literally littered with files like this...

[colin-stubbs]

Yeap... in terms of just the yaml handlebars templates...

Quick and dirty...

user@box ~ % cat newline_test.sh 
#!/bin/bash

printf '\n' > newline_only

tail -c 1 $1 | cmp -s newline_only - || echo "$1 does not contain a final newline"

# EOF
user@box ~ % find ~/Documents/SRC/GitHub/elastic/integrations -type f -name \*.yml.hbs -exec ./newline_test.sh {} \; | wc -l
     388
user@box ~ % find ~/Documents/SRC/GitHub/elastic/integrations -type f -name \*.yml.hbs | wc -l                              
    1316
user@box ~ % find ~/Documents/SRC/GitHub/elastic/integrations -type f -name \*.yml.hbs -exec ./newline_test.sh {} \; | head -n 5
/Users/user/Documents/SRC/GitHub/elastic/integrations/packages/unifiedlogs/agent/input/unifiedlogs.yml.hbs does not contain a final newline
/Users/user/Documents/SRC/GitHub/elastic/integrations/packages/first_epss/data_stream/vulnerability/agent/stream/cel.yml.hbs does not contain a final newline
/Users/user/Documents/SRC/GitHub/elastic/integrations/packages/activemq/data_stream/broker/agent/stream/stream.yml.hbs does not contain a final newline
/Users/user/Documents/SRC/GitHub/elastic/integrations/packages/activemq/data_stream/audit/agent/stream/log.yml.hbs does not contain a final newline
/Users/user/Documents/SRC/GitHub/elastic/integrations/packages/activemq/data_stream/log/agent/stream/log.yml.hbs does not contain a final newline
user@box ~ % find ~/Documents/SRC/GitHub/elastic/integrations -type f -name \*.yml.hbs -exec ./newline_test.sh {} \; | tail -n 5
/Users/user/Documents/SRC/GitHub/elastic/integrations/packages/rubrik/data_stream/physical_hosts/agent/stream/cel.yml.hbs does not contain a final newline
/Users/user/Documents/SRC/GitHub/elastic/integrations/packages/cisco_ios/data_stream/log/agent/stream/tcp.yml.hbs does not contain a final newline
/Users/user/Documents/SRC/GitHub/elastic/integrations/packages/cisco_ios/data_stream/log/agent/stream/udp.yml.hbs does not contain a final newline
/Users/user/Documents/SRC/GitHub/elastic/integrations/packages/cisco_ios/data_stream/log/agent/stream/stream.yml.hbs does not contain a final newline
/Users/user/Documents/SRC/GitHub/elastic/integrations/build/packages/email_report/0.0.1/data_stream/tlsrpt/agent/stream/http_endpoint.yml.hbs does not contain a final newline
user@box ~ % 

[efd6]

Sure... but even elastic-package generates files like this... you can see it with sample event.json files and even the Kibana assets...

Yes, the kibana assets are still like this, sample and expectation files are no longer rendered without a trailing new line.

[efd6]

Add final new line.

[efd6]

Let's put these in separate processors rather than rolling them together.

[efd6]

/test

[elasticmachine]

💔 Build Failed

• Buildkite Build
• Commit: b1617e1

Failed CI Steps

• Check integrations opencanary

History

[efd6]

Error: can't install the package: could not zip-install package; API status code = 422; response body = {"statusCode":422,"error":"Unprocessable Entity","message":"Document "opencanary-96cfb6c4-bc46-4fd4-9476-e8e9550442d9" belongs to a more recent version of Kibana [10.2.0] when the last known version is [8.9.0]."}