[cef] Update Beats config to ignore empty fields

[jrmolin]

A user is noticing parsing failures with the cef processor that can be attributed to empty fields not being properly ignored.

Proposed commit message

[cef] Update the settings to ignore empty fields

• When the pipeline hits empty fields, it errors out
• An update in the cef_processor allows for empty fields to be ignored, but this is not configurable in the settings
• This updates the settings to add a configuration value to turn on/off the ability to ignore empty fields
• A new test was added
• No test regressions

Checklist

• I have reviewed tips for building integrations and this pull request is aligned with them.
• I have verified that all data streams collect metrics or logs.
• I have added an entry to my package's changelog.yml file.
• I have verified that Kibana version constraints are current according to guidelines.
• I have verified that any added dashboard complies with Kibana's Dashboard good practices

Author's Checklist

• [ ]

How to test this PR locally

Related issues

Screenshots

[jrmolin]

@P1llus could you check this for me, please?

[P1llus]

Except the note the rest seems correct :)

[elastic-vault-github-plugin-prod]

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

[elasticmachine]

Pinging @elastic/sec-deployment-and-devices (Team:Security-Deployment and Devices)

[andrewkroh]

The test changes look good now.

I assume the intention behind using YAML anchors is to reduce duplication, but I have concerns about whether the added complexity and loss of readability make it worthwhile. It's not a blocker from me, but I would seek out a few more opinions.

[jrmolin]

The test changes look good now.

I assume the intention behind using YAML anchors is to reduce duplication, but I have concerns about whether the added complexity and loss of readability make it worthwhile. It's not a blocker from me, but I would seek out a few more opinions.

i can revert those. now that i know they work, i'm excited about the possibility of using them in pipelines

[taylor-swanson]

The test changes look good now.
I assume the intention behind using YAML anchors is to reduce duplication, but I have concerns about whether the added complexity and loss of readability make it worthwhile. It's not a blocker from me, but I would seek out a few more opinions.

i can revert those. now that i know they work, i'm excited about the possibility of using them in pipelines

I have mixed feelings about them. On one hand, it's really nice to avoid code duplication, but it does reduce readability, at least at first. I think with time I could get used to it.

[elastic-sonarqube]

Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
100.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube

[elasticmachine]

💚 Build Succeeded

• Buildkite Build
• Commit: 103f0e6

History

• 💚 Build #23571 succeeded 64b9a08
• 💚 Build #23479 succeeded dfd0221
• 💔 Build #23472 failed be5435a
• 💔 Build #23372 failed 7a5aa69
• 💔 Build #23367 failed 30ce9f1

[bhapas]

Interested to see how the ingest document looks like if ignore_empty_values is false. Is it something like this? Or does it fail?

cef: { cs1: null, cs2: null, message: rfc5424, ......... 

[taylor-swanson]

Looking at the associated SDH, it looks like it was producing empty strings, which was throwing off another processor. Unfortunately, since this involves a beats processor, we don't have a sample event we can look at like we can with a pipeline test.

@jrmolin, could you fill out the PR description explaining why this change is needed? Doesn't need to be extensive, just something brief. Helps reviewers know why this change is going in.

[bhapas]

@taylor-swanson Running elastic-package system test , can we not see what event.original / message field looks like in the pipeline? It should be the one processed from beats processors? Or do we bypass the agent config?

[taylor-swanson]

Oh yes, you could do that, it's just a manual process rather than looking at the expected file in github.

[bhapas]

But yeah, I was just curious. But this is not a blocker comment @jrmolin .. But as Taylor mentioned please add some description about the change.

[elastic-vault-github-plugin-prod]

Package cef - 2.21.1 containing this change is available at https://epr.elastic.co/package/cef/2.21.1/