From 4fd68fc288d6b3d27d82589557d58a2cd9f7452d Mon Sep 17 00:00:00 2001 From: Dan Kortschak Date: Mon, 5 May 2025 07:02:43 +0930 Subject: [PATCH 1/2] regenerate test expectations --- ...ourcemanager-googleapis-com.log-expected.json | 16 ++++++++-------- ...test-compute-googleapis-com.log-expected.json | 16 ++++++++-------- ...mcredentials-googleapis-com.log-expected.json | 14 +++++++------- .../pipeline/test-sdh-3695.log-expected.json | 14 +++++++------- 4 files changed, 30 insertions(+), 30 deletions(-) diff --git a/packages/gcp/data_stream/audit/_dev/test/pipeline/test-cloudresourcemanager-googleapis-com.log-expected.json b/packages/gcp/data_stream/audit/_dev/test/pipeline/test-cloudresourcemanager-googleapis-com.log-expected.json index b0d0a2f8996..2b4e0ae6588 100644 --- a/packages/gcp/data_stream/audit/_dev/test/pipeline/test-cloudresourcemanager-googleapis-com.log-expected.json +++ b/packages/gcp/data_stream/audit/_dev/test/pipeline/test-cloudresourcemanager-googleapis-com.log-expected.json @@ -2,6 +2,14 @@ "expected": [ { "@timestamp": "2024-11-19T13:12:20.942Z", + "actor": { + "entity": { + "id": [ + "serviceAccount:madeupprincipal@project-id.iam.gserviceaccount.com", + "made-up-ci-account@project-id.iam.gserviceaccount.com" + ] + } + }, "client": { "user": { "email": "made-up-ci-account@project-id.iam.gserviceaccount.com", @@ -139,14 +147,6 @@ "level": "NOTICE", "logger": "projects/project-id/logs/cloudaudit.googleapis.com%2Factivity" }, - "actor": { - "entity": { - "id": [ - "serviceAccount:madeupprincipal@project-id.iam.gserviceaccount.com", - "made-up-ci-account@project-id.iam.gserviceaccount.com" - ] - } - }, "related": { "entity": [ "projects/project-id/roles/x", diff --git a/packages/gcp/data_stream/audit/_dev/test/pipeline/test-compute-googleapis-com.log-expected.json b/packages/gcp/data_stream/audit/_dev/test/pipeline/test-compute-googleapis-com.log-expected.json index 392169743ae..cdd6d5cba0d 100644 --- a/packages/gcp/data_stream/audit/_dev/test/pipeline/test-compute-googleapis-com.log-expected.json +++ b/packages/gcp/data_stream/audit/_dev/test/pipeline/test-compute-googleapis-com.log-expected.json @@ -2,6 +2,14 @@ "expected": [ { "@timestamp": "2024-11-19T13:13:13.176Z", + "actor": { + "entity": { + "id": [ + "serviceAccount:project-id@cloudservices.gserviceaccount.com", + "project-id@cloudservices.gserviceaccount.com" + ] + } + }, "client": { "user": { "email": "project-id@cloudservices.gserviceaccount.com", @@ -206,14 +214,6 @@ "level": "NOTICE", "logger": "projects/project-id/logs/cloudaudit.googleapis.com%2Factivity" }, - "actor": { - "entity": { - "id": [ - "serviceAccount:project-id@cloudservices.gserviceaccount.com", - "project-id@cloudservices.gserviceaccount.com" - ] - } - }, "related": { "entity": [ "https://www.googleapis.com/compute/v1/projects/project-id/global/networks/x-logs-network", diff --git a/packages/gcp/data_stream/audit/_dev/test/pipeline/test-iamcredentials-googleapis-com.log-expected.json b/packages/gcp/data_stream/audit/_dev/test/pipeline/test-iamcredentials-googleapis-com.log-expected.json index b672c0a8151..8208b8fb6e5 100644 --- a/packages/gcp/data_stream/audit/_dev/test/pipeline/test-iamcredentials-googleapis-com.log-expected.json +++ b/packages/gcp/data_stream/audit/_dev/test/pipeline/test-iamcredentials-googleapis-com.log-expected.json @@ -2,6 +2,13 @@ "expected": [ { "@timestamp": "2024-11-19T00:49:55.293Z", + "actor": { + "entity": { + "id": [ + "principal://iam.googleapis.com/projects/project-id/locations/global/workloadIdentityPools/..." + ] + } + }, "client": { "user": { "id": "principal://iam.googleapis.com/projects/project-id/locations/global/workloadIdentityPools/..." @@ -61,13 +68,6 @@ "level": "INFO", "logger": "projects/project-id/logs/cloudaudit.googleapis.com%2Fdata_access" }, - "actor": { - "entity": { - "id": [ - "principal://iam.googleapis.com/projects/project-id/locations/global/workloadIdentityPools/..." - ] - } - }, "related": { "entity": [ "projects/-/serviceAccounts/made-up-ci-account@project-id.iam.gserviceaccount.com", diff --git a/packages/gcp/data_stream/audit/_dev/test/pipeline/test-sdh-3695.log-expected.json b/packages/gcp/data_stream/audit/_dev/test/pipeline/test-sdh-3695.log-expected.json index c14765499de..156bcfe2fb2 100644 --- a/packages/gcp/data_stream/audit/_dev/test/pipeline/test-sdh-3695.log-expected.json +++ b/packages/gcp/data_stream/audit/_dev/test/pipeline/test-sdh-3695.log-expected.json @@ -2,6 +2,13 @@ "expected": [ { "@timestamp": "2023-08-02T11:20:30.734Z", + "actor": { + "entity": { + "id": [ + "joel.miller@contoso.com" + ] + } + }, "client": { "user": { "email": "joel.miller@contoso.com" @@ -39,13 +46,6 @@ "level": "INFO", "logger": "organizations/123456789098/logs/cloudaudit.googleapis.com%2Fdata_access" }, - "actor": { - "entity": { - "id": [ - "joel.miller@contoso.com" - ] - } - }, "related": { "entity": [ "organizations/123456789098", From 2050049a2da71a63ffb8d8b2163dd46dc0dfa122 Mon Sep 17 00:00:00 2001 From: Dan Kortschak Date: Mon, 5 May 2025 07:08:27 +0930 Subject: [PATCH 2/2] gcp: remove never-successful violation field renames The rename refers to fields that do not exist in the type, and appears to have been incorrectly added to the block handling PolicyViolationInfo. The alternative would have been to add the following, but we already document the current behaviour, so leaving this as is as unfortunate. - foreach: field: gcp.audit.policy_violation_info.violations ignore_missing: true ignore_failure: true processor: rename: field: _ingest._value.errorMessage target_field: _ingest._value.error_message if: ctx.gcp?.audit?.policy_violation_info?.violations instanceof List - foreach: field: gcp.audit.policy_violation_info.violations ignore_missing: true ignore_failure: true processor: rename: field: _ingest._value.checkedValue target_field: _ingest._value.checked_value if: ctx.gcp?.audit?.policy_violation_info?.violations instanceof List - foreach: field: gcp.audit.policy_violation_info.violations ignore_missing: true ignore_failure: true processor: rename: field: _ingest._value.policyType target_field: _ingest._value.policy_type if: ctx.gcp?.audit?.policy_violation_info?.violations instanceof List [1]https://cloud.google.com/logging/docs/reference/audit/auditlog/rest/Shared.Types/AuditLog#ViolationInfo --- packages/gcp/changelog.yml | 5 +++++ .../audit/elasticsearch/ingest_pipeline/default.yml | 9 --------- packages/gcp/manifest.yml | 2 +- 3 files changed, 6 insertions(+), 10 deletions(-) diff --git a/packages/gcp/changelog.yml b/packages/gcp/changelog.yml index d640f944548..a8870914681 100644 --- a/packages/gcp/changelog.yml +++ b/packages/gcp/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.41.2" + changes: + - description: Remove redundant audit violation field renames. + type: bugfix + link: https://github.com/elastic/integrations/pull/13777 - version: "2.41.1" changes: - description: Preserve original value of resource name. diff --git a/packages/gcp/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/data_stream/audit/elasticsearch/ingest_pipeline/default.yml index b0e8e778abd..c4bf919adfe 100644 --- a/packages/gcp/data_stream/audit/elasticsearch/ingest_pipeline/default.yml +++ b/packages/gcp/data_stream/audit/elasticsearch/ingest_pipeline/default.yml @@ -413,15 +413,6 @@ processors: field: gcp.audit.policy_violation_info.violations copy_from: json.protoPayload.policyViolationInfo.orgPolicyViolationInfo.violationInfo ignore_failure: true - - foreach: - field: gcp.audit.policy_violation_info.violations - ignore_missing: true - ignore_failure: true - processor: - rename: - field: _ingest._value.resourceAttributes - target_field: _ingest._value.resource_attributes - if: ctx.gcp?.audit?.policy_violation_info instanceof List - rename: field: json.protoPayload.policyViolationInfo.orgPolicyViolationInfo.payload target_field: gcp.audit.policy_violation_info.payload diff --git a/packages/gcp/manifest.yml b/packages/gcp/manifest.yml index 23a4eabde56..e0901b06dad 100644 --- a/packages/gcp/manifest.yml +++ b/packages/gcp/manifest.yml @@ -1,6 +1,6 @@ name: gcp title: Google Cloud Platform -version: "2.41.1" +version: "2.41.2" description: Collect logs and metrics from Google Cloud Platform with Elastic Agent. type: integration icons: