x-pack/filebeat/processors/decode_def/cef: relax size constraint on n…

…etwork bytes (#36108) Relax the width of in and out fields from integer to long to allow values greater beyond 2GiB.
elastic · Jul 20, 2023 · 9f28394 · 9f28394
1 parent 4eaa918
commit 9f28394
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 3 deletions.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -350,6 +350,7 @@ automatic splitting at root level, if root level element is an array. {pull}3415
 - Add `clean_session` configuration setting for MQTT input.  {pull}35806[16204]
 - Add fingerprint mode for the filestream scanner and new file identity based on it {issue}34419[34419] {pull}35734[35734]
 - Add file system metadata to events ingested via filestream {issue}35801[35801] {pull}36065[36065]
+- Allow parsing bytes in and bytes out as long integer in CEF processor. {issue}36100[36100] {pull}36108[36108]
 
 *Auditbeat*
    - Migration of system/package module storage from gob encoding to flatbuffer encoding in bolt db. {pull}34817[34817]

diff --git a/x-pack/filebeat/processors/decode_cef/cef/cef_test.go b/x-pack/filebeat/processors/decode_cef/cef/cef_test.go
@@ -20,7 +20,7 @@ import (
 var generateCorpus = flag.Bool("corpus", false, "generate fuzz corpus from test cases")
 
 const (
-	standardMessage = `CEF:26|security|threatmanager|1.0|100|trojan successfully stopped|10|src=10.0.0.192 dst=12.121.122.82 spt=1232 eventId=1`
+	standardMessage = `CEF:26|security|threatmanager|1.0|100|trojan successfully stopped|10|src=10.0.0.192 dst=12.121.122.82 spt=1232 eventId=1 in=4294967296 out=4294967296`
 
 	headerOnly = `CEF:26|security|threatmanager|1.0|100|trojan successfully stopped|10|`
 
@@ -124,6 +124,8 @@ func TestEventUnpack(t *testing.T) {
 			"dst":     IPField("12.121.122.82"),
 			"spt":     IntegerField(1232),
 			"eventId": LongField(1),
+			"in":      LongField(4294967296),
+			"out":     LongField(4294967296),
 		}, e.Extensions)
 	})
 
@@ -449,6 +451,8 @@ func TestEventUnpackWithFullExtensionNames(t *testing.T) {
 		"destinationAddress": IPField("12.121.122.82"),
 		"sourcePort":         IntegerField(1232),
 		"eventId":            LongField(1),
+		"bytesIn":            LongField(4294967296),
+		"bytesOut":           LongField(4294967296),
 	}, e.Extensions)
 }
 

diff --git a/x-pack/filebeat/processors/decode_cef/cef/keys.go b/x-pack/filebeat/processors/decode_cef/cef/keys.go
@@ -90,11 +90,11 @@ var extensionMapping = map[string]mappedField{
 	},
 	"in": {
 		Target: "bytesIn",
-		Type:   IntegerType,
+		Type:   LongType,
 	},
 	"out": {
 		Target: "bytesOut",
-		Type:   IntegerType,
+		Type:   LongType,
 	},
 	"customerExternalID": {
 		Target: "customerExternalID",