Change deviceFacility to String per spec

bhapas · bhapas · commit 24ce92516d3a · 2025-04-14T09:39:12.000+02:00
diff --git a/modules/ingest-common/src/main/java/org/elasticsearch/ingest/common/CefParser.java b/modules/ingest-common/src/main/java/org/elasticsearch/ingest/common/CefParser.java
@@ -186,7 +186,7 @@ enum DataType {
         entry("deviceDnsDomain", new ExtensionMapping("deviceDnsDomain", StringType, "observer.registered_domain")),
         entry("cat", new ExtensionMapping("deviceEventCategory", StringType, null)),
         entry("deviceExternalId", new ExtensionMapping("deviceExternalId", StringType, "observer.name")),
-        entry("deviceFacility", new ExtensionMapping("deviceFacility", IntegerType, "log.syslog.facility.code")),
+        entry("deviceFacility", new ExtensionMapping("deviceFacility", StringType, null)),
         entry("dvchost", new ExtensionMapping("deviceHostName", StringType, "observer.hostname")),
         entry("deviceInboundInterface", new ExtensionMapping("deviceInboundInterface", StringType, "observer.ingress.interface.name")),
         entry("dvcmac", new ExtensionMapping("deviceMacAddress", MACAddressType, "observer.mac")),
diff --git a/modules/ingest-common/src/test/java/org/elasticsearch/ingest/common/CefProcessorTests.java b/modules/ingest-common/src/test/java/org/elasticsearch/ingest/common/CefProcessorTests.java
@@ -823,6 +823,7 @@ public void testAllFieldsInExtension() {
                                 entry("flexString2", "flexString2"),
                                 entry("deviceCustomNumber3Label", "cn3Label"),
                                 entry("flexString1", "flexString1"),
+                                entry("deviceFacility", "16"),
                                 entry("deviceCustomString4Label", "cs4Label"),
                                 entry("flexString2Label", "flexString2Label"),
                                 entry("deviceCustomString3", "customString3"),
@@ -842,7 +843,6 @@ public void testAllFieldsInExtension() {
                     )
                 ),
                 entry("host", Map.of("nat", Map.of("ip", "10.0.0.3"))),
-                entry("log", Map.of("syslog", Map.of("facility", Map.of("code", 16)))),
                 entry(
                     "observer",
                     Map.ofEntries(
