Skip to content

[proxysg] Generate processor tags and normalize error handler #15568

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

[proxysg] Generate processor tags and normalize error handler #15568

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
a5dc649
[proxysg] Generate processor tags and normalize error handler
taylor-swanson Oct 6, 2025
d975665
changelog
taylor-swanson Oct 6, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions packages/proxysg/changelog.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,9 @@
# newer versions go on top
- version: "0.6.2"
changes:
- description: Generate processor tags and normalize error handler.
type: enhancement
link: https://github.com/elastic/integrations/pull/15568
- version: "0.6.1"
changes:
- description: Changed owners.
Expand Down
3 changes: 2 additions & 1 deletion packages/proxysg/data_stream/log/elasticsearch/ingest_pipeline/bcreportermain_v1.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ processors:
field: _temp_.message
pattern: " {2}"
replacement: " "
tag: gsub_b4fb3b49
- csv:
tag: "parse_fields_bcreportermain_v1"
field: _temp_.message
Expand Down Expand Up @@ -42,7 +43,7 @@ processors:
- proxysg.server_to_client.bytes
- proxysg.client_to_server.bytes
- proxysg.x_virus_id
- proxysg.client_to_server.threat_source
- proxysg.client_to_server.threat_source
- proxysg.client_to_server.threat_id
- proxysg.remote_to_server.threat_source
- proxysg.remote_to_server.threat_id
Expand Down
41 changes: 38 additions & 3 deletions packages/proxysg/data_stream/log/elasticsearch/ingest_pipeline/default.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,12 +4,15 @@ processors:
- set:
field: ecs.version
value: '8.17.0'
tag: set_f5923549
- set:
field: observer.vendor
value: Broadcom
tag: set_3a32ffc7
- set:
field: observer.product
value: ProxySG
tag: set_a11dfe03
- drop:
tag: "drop_commented"
description: "Drop commented lines"
Expand Down Expand Up @@ -52,6 +55,7 @@ processors:
- remove:
field: "_temp_"
ignore_failure: true
tag: remove_8c7cbd54

# ProxySG uses '-' to indicate unset fields; remove these.
- script:
Expand Down Expand Up @@ -108,75 +112,92 @@ processors:
field: client.ip
copy_from: proxysg.client.ip
ignore_failure: true
tag: set_2339ed7a
- set:
field: client.address
copy_from: client.ip
ignore_failure: true
tag: set_add34219
- set:
field: server.ip
copy_from: proxysg.server.ip
ignore_failure: true
tag: set_88ef57f2
- set:
field: server.address
copy_from: server.ip
ignore_failure: true
tag: set_61dc7df1
- set:
field: url.scheme
copy_from: proxysg.client_to_server.uri_scheme
ignore_failure: true
tag: set_246e4dcb
- set:
field: url.port
copy_from: proxysg.client_to_server.uri_port
ignore_failure: true
tag: set_a7dc2d6b
- set:
field: url.path
copy_from: proxysg.client_to_server.uri_path
ignore_failure: true
tag: set_b46e5283
- set:
field: url.query
copy_from: proxysg.client_to_server.uri_query
ignore_failure: true
tag: set_95d8ed0f
- set:
field: client.user.name
copy_from: proxysg.client_to_server.username
ignore_failure: true
tag: set_db83140a
- set:
field: http.request.referrer
copy_from: proxysg.client_to_server.referer
ignore_failure: true
tag: set_96eba2be
- set:
field: user_agent.original
copy_from: proxysg.client_to_server.user_agent
ignore_failure: true
tag: set_178279dc
- set:
field: http.request.method
copy_from: proxysg.client_to_server.method
ignore_failure: true
tag: set_d5f7f658
- set:
field: url.domain
copy_from: proxysg.client_to_server.host
ignore_failure: true
tag: set_dc1fdce0
- script:
lang: painless
if: 'ctx.proxysg.time_taken != null'
# proxysg.time_taken is ms, event.duration is ns
source: |
ctx.event.duration = ctx.proxysg.time_taken * 1000000
tag: script_eac0c719

# Enrichment
- registered_domain:
field: url.domain
target_field: url
ignore_missing: true
tag: registered_domain_ca99c8cd
- user_agent:
field: user_agent.original
ignore_missing: true
tag: user_agent_b5325863

# Geo-location
- geoip:
field: server.ip
target_field: server.geo
if: ctx.server?.geo == null && ctx.server?.ip != null
tag: geoip_b48037fe
- geoip:
database_file: GeoLite2-ASN.mmdb
field: server.ip
Expand All @@ -185,18 +206,22 @@ processors:
- asn
- organization_name
ignore_missing: true
tag: geoip_ed2798db
- rename:
field: server.as.asn
target_field: server.as.number
ignore_missing: true
tag: rename_f46ba339
- rename:
field: server.as.organization_name
target_field: server.as.organization.name
ignore_missing: true
tag: rename_a7e512d7
- geoip:
field: client.ip
target_field: client.geo
if: ctx.client?.geo == null && ctx.client?.ip != null
tag: geoip_0c48320e
- geoip:
database_file: GeoLite2-ASN.mmdb
field: client.ip
Expand All @@ -205,53 +230,63 @@ processors:
- asn
- organization_name
ignore_missing: true
tag: geoip_f17fb2b3
- rename:
field: client.as.asn
target_field: client.as.number
ignore_missing: true
tag: rename_a6e30d01
- rename:
field: client.as.organization_name
target_field: client.as.organization.name
ignore_missing: true
tag: rename_817a526f

# Add related fields
- append:
field: related.ip
value: "{{{server.ip}}}"
if: ctx.source?.ip != null
allow_duplicates: false
tag: append_0e5b7d1b
- append:
field: related.ip
value: "{{{client.ip}}}"
if: ctx.source?.ip != null
allow_duplicates: false
tag: append_cb745daf
- append:
field: related.ip
value: "{{{proxysg.server.supplier_ip}}}"
if: ctx.source?.ip != null
allow_duplicates: false
tag: append_eb7f4518
- append:
field: related.ip
value: "{{{remote.ip}}}"
if: ctx.source?.ip != null
allow_duplicates: false
tag: append_de520f14
- append:
field: related.hosts
value: "{{{url.domain}}}"
if: ctx.source?.ip != null
allow_duplicates: false
tag: append_8443ea84
- append:
field: related.user
value: "{{{client.user.name}}}"
if: ctx.source?.ip != null
allow_duplicates: false
tag: append_69c2f49e

on_failure:
- append:
field: error.message
value: |-
Processor "{{{ _ingest.on_failure_processor_type }}}" with tag "{{{ _ingest.on_failure_processor_tag }}}" in pipeline
"{{{ _ingest.on_failure_pipeline }}}" failed with message "{{{ _ingest.on_failure_message }}}"
value: >-
Processor '{{{ _ingest.on_failure_processor_type }}}'
{{#_ingest.on_failure_processor_tag}}with tag '{{{ _ingest.on_failure_processor_tag }}}'
{{/_ingest.on_failure_processor_tag}}failed with message '{{{ _ingest.on_failure_message }}}'
- set:
field: event.kind
value: pipeline_error
Expand Down
2 changes: 1 addition & 1 deletion packages/proxysg/manifest.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
format_version: 3.1.1
name: proxysg
title: "Broadcom ProxySG"
version: "0.6.1"
version: "0.6.2"
source:
license: "Elastic-2.0"
description: "Collect access logs from Broadcom ProxySG with Elastic Agent."
Expand Down