Correct field types according to spec

Author: bhapas

modules/ingest-common/src/main/java/org/elasticsearch/ingest/common/CefParser.java

@@ -117,9 +117,9 @@ enum DataType {
         entry("agentZoneExternalID", new ExtensionMapping("agentZoneExternalID", StringType, null)),
         entry("agentZoneURI", new ExtensionMapping("agentZoneURI", StringType, null)),
         entry("app", new ExtensionMapping("applicationProtocol", StringType, "network.protocol")),
-        entry("cnt", new ExtensionMapping("baseEventCount", LongType, null)),
-        entry("in", new ExtensionMapping("bytesIn", LongType, "source.bytes")),
-        entry("out", new ExtensionMapping("bytesOut", LongType, "destination.bytes")),
+        entry("cnt", new ExtensionMapping("baseEventCount", IntegerType, null)),
+        entry("in", new ExtensionMapping("bytesIn", IntegerType, "source.bytes")),
+        entry("out", new ExtensionMapping("bytesOut", IntegerType, "destination.bytes")),
         entry("customerExternalID", new ExtensionMapping("customerExternalID", StringType, "organization.id")),
         entry("customerURI", new ExtensionMapping("customerURI", StringType, "organization.name")),
         entry("dst", new ExtensionMapping("destinationAddress", IPType, "destination.ip")),
@@ -130,7 +130,7 @@ enum DataType {
         entry("dmac", new ExtensionMapping("destinationMacAddress", MACAddressType, "destination.mac")),
         entry("dntdom", new ExtensionMapping("destinationNtDomain", StringType, "destination.registered_domain")),
         entry("dpt", new ExtensionMapping("destinationPort", IntegerType, "destination.port")),
-        entry("dpid", new ExtensionMapping("destinationProcessId", LongType, "destination.process.pid")),
+        entry("dpid", new ExtensionMapping("destinationProcessId", IntegerType, "destination.process.pid")),
         entry("dproc", new ExtensionMapping("destinationProcessName", StringType, "destination.process.name")),
         entry("destinationServiceName", new ExtensionMapping("destinationServiceName", StringType, "destination.service.name")),
         entry("destinationTranslatedAddress", new ExtensionMapping("destinationTranslatedAddress", IPType, "destination.nat.ip")),
@@ -193,7 +193,7 @@ enum DataType {
         entry("deviceNtDomain", new ExtensionMapping("deviceNtDomain", StringType, null)),
         entry("deviceOutboundInterface", new ExtensionMapping("deviceOutboundInterface", StringType, "observer.egress.interface.name")),
         entry("devicePayloadId", new ExtensionMapping("devicePayloadId", StringType, "event.id")),
-        entry("dvcpid", new ExtensionMapping("deviceProcessId", LongType, "process.pid")),
+        entry("dvcpid", new ExtensionMapping("deviceProcessId", IntegerType, "process.pid")),
         entry("deviceProcessName", new ExtensionMapping("deviceProcessName", StringType, "process.name")),
         entry("rt", new ExtensionMapping("deviceReceiptTime", TimestampType, "@timestamp")),
         entry("dtz", new ExtensionMapping("deviceTimeZone", StringType, "event.timezone")),
@@ -217,7 +217,7 @@ enum DataType {
         entry("fname", new ExtensionMapping("filename", StringType, "file.name")),
         entry("filePath", new ExtensionMapping("filePath", StringType, "file.path")),
         entry("filePermission", new ExtensionMapping("filePermission", StringType, "file.group")),
-        entry("fsize", new ExtensionMapping("fileSize", IntegerType, "file.size")),
+        entry("fsize", new ExtensionMapping("fileSize", LongType, "file.size")),
         entry("fileType", new ExtensionMapping("fileType", StringType, "file.type")),
         entry("flexDate1", new ExtensionMapping("flexDate1", TimestampType, null)),
         entry("flexDate1Label", new ExtensionMapping("flexDate1Label", StringType, null)),
@@ -233,7 +233,7 @@ enum DataType {
         entry("oldFileName", new ExtensionMapping("oldFileName", StringType, null)),
         entry("oldFilePath", new ExtensionMapping("oldFilePath", StringType, null)),
         entry("oldFilePermission", new ExtensionMapping("oldFilePermission", StringType, null)),
-        entry("oldFileSize", new ExtensionMapping("oldFileSize", IntegerType, null)),
+        entry("oldFileSize", new ExtensionMapping("oldFileSize", LongType, null)),
         entry("oldFileType", new ExtensionMapping("oldFileType", StringType, null)),
         entry("rawEvent", new ExtensionMapping("rawEvent", StringType, "event.original")),
         entry("reason", new ExtensionMapping("reason", StringType, "event.reason")),
@@ -250,7 +250,7 @@ enum DataType {
         entry("smac", new ExtensionMapping("sourceMacAddress", MACAddressType, "source.mac")),
         entry("sntdom", new ExtensionMapping("sourceNtDomain", StringType, "source.registered_domain")),
         entry("spt", new ExtensionMapping("sourcePort", IntegerType, "source.port")),
-        entry("spid", new ExtensionMapping("sourceProcessId", LongType, "source.process.pid")),
+        entry("spid", new ExtensionMapping("sourceProcessId", IntegerType, "source.process.pid")),
         entry("sproc", new ExtensionMapping("sourceProcessName", StringType, "source.process.name")),
         entry("sourceServiceName", new ExtensionMapping("sourceServiceName", StringType, "source.service.name")),
         entry("sourceTranslatedAddress", new ExtensionMapping("sourceTranslatedAddress", IPType, "source.nat.ip")),

modules/ingest-common/src/test/java/org/elasticsearch/ingest/common/CefProcessorTests.java

@@ -87,7 +87,7 @@ public void testInvalidCefFormat() {
 
     public void testStandardMessage() {
         String message = "CEF:26|security|threatmanager|1.0|100|trojan successfully stopped|10|"
-            + "src=10.0.0.192 dst=12.121.122.82 spt=1232 eventId=1 in=4294967296 out=4294967296";
+            + "src=10.0.0.192 dst=12.121.122.82 spt=1232 eventId=1 in=4294 out=4294";
         Map<String, Object> source = new HashMap<>();
         source.put("message", message);
         document = new IngestDocument("index", "id", 1L, null, null, source);
@@ -109,8 +109,8 @@ public void testStandardMessage() {
                     )
                 ),
                 entry("observer", Map.of("product", "threatmanager", "vendor", "security", "version", "1.0")),
-                entry("source", Map.of("ip", "10.0.0.192", "port", 1232, "bytes", 4294967296L)),
-                entry("destination", Map.of("ip", "12.121.122.82", "bytes", 4294967296L)),
+                entry("source", Map.of("ip", "10.0.0.192", "port", 1232, "bytes", 4294)),
+                entry("destination", Map.of("ip", "12.121.122.82", "bytes", 4294)),
                 entry("event", Map.of("id", "1", "code", "100")),
                 entry("message", message)
             )
@@ -817,9 +817,9 @@ public void testAllFieldsInExtension() {
                                 entry("deviceCustomFloatingPoint1Label", "cfp1Label"),
                                 entry("deviceCustomIPv6Address3Label", "c6a3Label"),
                                 entry("deviceCustomFloatingPoint4Label", "cfp4Label"),
-                                entry("oldFileSize", 2048),
+                                entry("oldFileSize", 2048L),
                                 entry("externalId", "extId"),
-                                entry("baseEventCount", 1234L),
+                                entry("baseEventCount", 1234),
                                 entry("flexString2", "flexString2"),
                                 entry("deviceCustomNumber3Label", "cn3Label"),
                                 entry("flexString1", "flexString1"),
@@ -869,16 +869,16 @@ public void testAllFieldsInExtension() {
                         entry("mac", "00:0a:95:9d:68:16")
                     )
                 ),
-                entry("process", Map.of("name", "procName", "pid", 5678L)),
+                entry("process", Map.of("name", "procName", "pid", 5678)),
                 entry(
                     "destination",
                     Map.ofEntries(
                         entry("nat", Map.of("port", 8080, "ip", "10.0.0.2")),
                         entry("geo", Map.of("location", Map.of("lon", -122.4194, "lat", 37.7749))),
                         entry("registered_domain", "destNtDomain"),
-                        entry("process", Map.of("name", "destProc", "pid", 1234L)),
+                        entry("process", Map.of("name", "destProc", "pid", 1234)),
                         entry("port", 80),
-                        entry("bytes", 91011L),
+                        entry("bytes", 91011),
                         entry("service", Map.of("name", "destService")),
                         entry("domain", "destHost"),
                         entry("ip", "192.168.0.2"),
@@ -892,10 +892,10 @@ public void testAllFieldsInExtension() {
                         entry("geo", Map.of("location", Map.of("lon", -122.4194, "lat", 37.7749))),
                         entry("nat", Map.of("port", 8081, "ip", "10.0.0.4")),
                         entry("registered_domain", "sourceNtDomain"),
-                        entry("process", Map.of("name", "sourceProc", "pid", 1234L)),
+                        entry("process", Map.of("name", "sourceProc", "pid", 1234)),
                         entry("port", 443),
                         entry("service", Map.of("name", "sourceService")),
-                        entry("bytes", 5678L),
+                        entry("bytes", 5678),
                         entry("ip", "192.168.0.4"),
                         entry("domain", "sourceDomain"),
                         entry("user", Map.of("name", "sourceUser", "id", "sourceUserId", "group", Map.of("name", "sourcePriv"))),
@@ -910,7 +910,7 @@ public void testAllFieldsInExtension() {
                     Map.ofEntries(
                         entry("inode", "5678"),
                         entry("path", "/path/to/file"),
-                        entry("size", 1024),
+                        entry("size", 1024L),
                         entry("created", ZonedDateTime.parse("2021-06-01T11:43:20Z")),
                         entry("name", "file.txt"),
                         entry("mtime", ZonedDateTime.parse("2021-06-01T11:45Z")),