websocket: new generic integration #9926
Conversation
1. This makes the Filebeat Websocket input available as an integration package.
muskan-agarwal26
changed the title
muskan-agarwal26
changed the title
ShourieG
added
the
Team:Security-Service Integrations
|
Pinging @elastic/security-service-integrations (Team:Security-Service Integrations) |
ShourieG
added
New Integration
integration
| ```yaml | ||
| - type: websocket | ||
| url: "ws://websocket-server.example.com/stream" | ||
| headers: | ||
| Cookie: "session_id=abcdef1234567890" | ||
| ``` |
There was a problem hiding this comment.
This is not what the user will do AFAICS. I suggest that if you are using examples, use screen shots of the UI with values filled in. Though I think the standard textual approach should be fine so long as the relevant UI elements are described.
Also, this should show that the user will need to provide a CEL program to handle the messages. A minimal program that just passes the message unaltered to the output seems appropriate.
|
|
||
| The WebSocket input will consume messages from the server as they are transmitted. These messages are expected to be in a format that Filebeat can process, such as JSON. If the message format is different, you may need to define a processor to parse and structure the data before it is sent to Elasticsearch. | ||
|
|
||
| **NOTE**: The websocket input as of now does not support XML messages. |
There was a problem hiding this comment.
| **NOTE**: The websocket input as of now does not support XML messages. | |
| **NOTE**: The websocket input does not support XML messages. |
Do we plan to change this? @ShourieG I don't see any reason in principle why we can't.
There was a problem hiding this comment.
@efd6, yes we definitely want to support XML in future but need to establish how popular XLM over ws is. I have seen very few instances of this. So this is definitely possible but need to figure out an use case where such a model would come in use.
| bytes(state.response).decode_json().as(inner_body,{ | ||
| "events": inner_body, | ||
| }) |
There was a problem hiding this comment.
| bytes(state.response).decode_json().as(inner_body,{ | |
| "events": inner_body, | |
| }) | |
| bytes(state.response).decode_json().as(body, { | |
| "events": body, | |
| }) |
|
/test |
💔 Build Failed
Failed CI StepsHistory |
| service: websocket-mock-service | ||
| vars: | ||
| url: ws://{{Hostname}}:{{Port}} | ||
| program: | |
There was a problem hiding this comment.
Can we also add a more robust test scenario that demonstrates more CEL usage ?
| @@ -0,0 +1,83 @@ | |||
| format_version: 3.0.2 | |||
| name: websocket | |||
| title: Custom input using Websocket | |||
There was a problem hiding this comment.
Can we adjust the title to ensure it aligns with our other custom packages. Title should be Custom Websocket logs
| url: {{url}} | ||
|
|
||
| program: {{escape_string program}} | ||
|
|
||
| {{#if pipeline}} | ||
| pipeline: {{pipeline}} | ||
| {{/if}} | ||
|
|
There was a problem hiding this comment.
AFAICS not all configuration options supported by the input such as state, redact.*, regexp, auth.* are added. It would be nice to add all options to allow user to configure.
| @@ -0,0 +1,34 @@ | |||
| # WebSocket Input Integration | |||
There was a problem hiding this comment.
| # WebSocket Input Integration | |
| # Custom WebSocket Input |
This is how we've been naming for other custom integrations.
Proposed commit message
This makes the Filebeat Websocket input available as an integration package.
Checklist
changelog.ymlfile.Author's Checklist
How to test this PR locally
Related issues
Screenshots