-
Notifications
You must be signed in to change notification settings - Fork 4.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Check Point] Field checkpoint.source_object mapped incorrectly as long #25124
Comments
Good find. Easy fix to update the module. |
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
I made the change to |
I just created a draft PR. If you think it solves your issue, I will move take it out of draft. |
* #25124: Update `checkpoint.source_object` mapping * Update generated Co-authored-by: Andrew Kroh <andrew.kroh@elastic.co>
According to https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk144192, Check Point module field checkpoint.source_object should be mapped as a string type instead of long. Syncs change from: elastic/beats@a5e6e5b Relates: elastic/beats#25124
According to https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk144192, Check Point module field checkpoint.source_object should be mapped as a string type instead of integer. Syncs change from: elastic/beats@a5e6e5b Relates: elastic/beats#25124 Other changes: - use ECS `log.file.path` - add `event.original` mapping - sort fields.yml by field name This was observed while preparing elastic/beats#31076.
./filebeat setup
checkpoint.source_object
According to https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk144192, Check Point module field
checkpoint.source_object
should be mapped as a string type instead of long. Events with the field can encounter amapper_parsing_exception
with the current template:Workaround
To workaround, override the default field mapping with an additional higher order template.
The field will have the correct mapping when a new Filebeat index is created.
The text was updated successfully, but these errors were encountered: