Skip to content

[Cisco Nexus] Improve timezone and timestamp handling #14504

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 12 commits into
base: main
Choose a base branch
from
Open

[Cisco Nexus] Improve timezone and timestamp handling #14504

wants to merge 12 commits into from
+509 −318

Conversation

P1llus
Copy link
Member

@P1llus P1llus commented Jul 11, 2025
edited
Loading

Proposed commit message

The PR introduces tz_map as an option in the configuration of the integration, similar to tz_map this is specifically for usecases where the vendor provides a timezone format in their logs which is not supported by Java, and is the only way for a user to map these unsupported formats to a proper IANA format on ingest time.

While implementing this there was also several unecessary additions between syslog and vendor timestamps, so I changed that up a bit and updated the system and pipeline tests. Older documents now get missing ECS fields and the dates are parsed correctly also on older logs (which is why older pipeline test output have changes in them).

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

@P1llus P1llus added enhancement New feature or request Integration:cisco_nexus Cisco Nexus Team:Security-Deployment and Devices Deployment and Devices Security team [elastic/sec-deployment-and-devices] labels Jul 11, 2025
@dwhyrock dwhyrock mentioned this pull request Jul 11, 2025
Closed
5 tasks
@P1llus P1llus marked this pull request as ready for review July 11, 2025 12:40
@P1llus P1llus requested a review from a team as a code owner July 11, 2025 12:40
@elasticmachine
Copy link

Pinging @elastic/sec-deployment-and-devices (Team:Security-Deployment and Devices)

@elastic-vault-github-plugin-prod
Copy link

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

@elastic-sonarqube Elastic SonarQube
Copy link

Quality Gate passed Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
98.6% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube

@elasticmachine
Copy link

💚 Build Succeeded

History

@andrewkroh andrewkroh added the documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. label Jul 11, 2025
dwhyrock
dwhyrock reviewed Jul 11, 2025
View reviewed changes
Copy link
Contributor

@dwhyrock dwhyrock left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks pretty good, but I had a couple questions.

@taylor-swanson can you take a look at this as well, please?

packages/cisco_nexus/changelog.yml
changes:
- description: Fix bug that did not recognize timestamps to use tz_map override.
type: bugfix
link: https://github.com/elastic/integrations/pull/14458
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PR link needs to be updated

packages/cisco_nexus/data_stream/log/elasticsearch/ingest_pipeline/default.yml
@@ -3,126 +3,101 @@ description: Pipeline for processing Cisco Nexus logs.
processors:
- set:
field: ecs.version
value: '8.17.0'
tag: 'set_ecs_version'
value: "8.17.0"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Curious why you're updating the single quotes to double quotes? I do prefer the doubles, but curious if there's some yaml-specific reason to do this.

packages/cisco_nexus/data_stream/log/sample_event.json
},
"cisco_nexus": {
"log": {
"description": "EARL 0 NF ASIC: Uncorrectable Parity error in Netflow Table.",
"facility": "EARL",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a reason why all of these fields are being deleted? Is this part of the processing changes in default.yml, or something else?

@dwhyrock dwhyrock requested a review from a team July 15, 2025 13:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dwhyrock dwhyrock dwhyrock left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. enhancement New feature or request Integration:cisco_nexus Cisco Nexus Team:Security-Deployment and Devices Deployment and Devices Security team [elastic/sec-deployment-and-devices]
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@P1llus @elasticmachine @dwhyrock @andrewkroh