-
Notifications
You must be signed in to change notification settings - Fork 448
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
imperva_cloud_waf: step over non-UTF-8 data work items #13152
Conversation
6a31f3a
to
8f5776e
Compare
🚀 Benchmarks reportTo see the full report comment with |
Pinging @elastic/security-service-integrations (Team:Security-Service Integrations) |
It is possible for users to incorrectly configure their Imperva Cloud WAF logging to send compressed data (this is the default). This results in a CEL evaluation failure since we depend on the data being string CEF. When the non-UTF-8 data is converted to a string, CEL refuses to peform the conversion by design. When a user has done this, it appears that logs in the compressed form persist, so the agent is unable to move past the integration-invalid data. This change tries to perform the conversion, falling back to an error message being sent to the index when it is not possible. This helps identify cases where the configuration is incorrect, and allows the collection to step over the bodies that are not consumable. Unfortunately we cannot make use of fleet health notifications since sending object errors prevents cursor updates, and so would result in continuing to be stuck.
8f5776e
to
975b717
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Very nice.
The commit description is good and clear.
💚 Build Succeeded
History
cc @efd6 |
|
Package imperva_cloud_waf - 1.11.0 containing this change is available at https://epr.elastic.co/package/imperva_cloud_waf/1.11.0/ |
It is possible for users to incorrectly configure their Imperva Cloud WAF logging to send compressed data (this is the default). This results in a CEL evaluation failure since we depend on the data being string CEF. When the non-UTF-8 data is converted to a string, CEL refuses to peform the conversion by design. When a user has done this, it appears that logs in the compressed form persist, so the agent is unable to move past the integration-invalid data. This change tries to perform the conversion, falling back to an error message being sent to the index when it is not possible. This helps identify cases where the configuration is incorrect, and allows the collection to step over the bodies that are not consumable. Unfortunately we cannot make use of fleet health notifications since sending object errors prevents cursor updates, and so would result in continuing to be stuck.
Proposed commit message
Warning
The CEL input in this integration is not tested in system tests. Please review with extra care.
PoC:
Checklist
changelog.yml
file.Author's Checklist
How to test this PR locally
Related issues
Screenshots