Skip to content

[cloudflare_logpush] Ingest Pipeline Improvments#19234

Open
brijesh-elastic wants to merge 10 commits into
elastic:mainfrom
brijesh-elastic:cloudflare_logpush-fix_conflicts
Open

[cloudflare_logpush] Ingest Pipeline Improvments#19234
brijesh-elastic wants to merge 10 commits into
elastic:mainfrom
brijesh-elastic:cloudflare_logpush-fix_conflicts

Conversation

@brijesh-elastic
Copy link
Copy Markdown
Contributor

@brijesh-elastic brijesh-elastic commented May 27, 2026

Proposed commit message

cloudflare_logpush: Ingest Pipeline Improvments

- Update ECS to 9.3.0 and add new fields across multiple data streams
- Replace `rename` processors with typed `convert` processors for fields whose `fields.yml` mapping
  is `ip`, `long`, `double`, or `boolean`. This validates incoming values against the declared mapping
  and prevents off-type values from being silently indexed.
- Replace grok processors with dissect for simple delimiter-based pattern.
- Add `tag` key to each processor in the ingest pipelines.
- Standardize the error message format and use the latest null-removal script.
- Improve ECS mapping across multiple data streams.
- Consolidate timestamp handling to a single script across all data streams.
- Normalize severity handling in CASB data stream.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

How to test this PR locally

  • Clone integrations repo.
  • Install elastic package locally.
  • Start elastic stack using elastic-package.
  • Move to integrations/packages/cloudflare_logpush directory.
  • Run the following command to run tests.

elastic-package test -v

Related issues

brijesh-elastic and others added 10 commits May 8, 2026 16:16
@brijesh-elastic
cloudflare_logpush: update ECS to 9.3.0 and add new fields across mul…
94b22b3 
…tiple data streams (elastic#18685)

Enhancements:
- Bump ECS version to `git@v9.3.0` and `format_version` to `3.3.2`.
- Replace deprecated `agent.yml` with `beats.yml` and use `external: ecs` in `base-fields.yml` across
  all 21 data streams.
- Add new fields with corresponding ingest pipeline processors:
  - `device_posture` (RegistrationID)
  - `firewall_event` (FraudUserID)
  - `gateway_dns` (12 fields including InternalDNS*, QueryApplication*, RequestContext*)
  - `gateway_http` (AppControlInfo, ApplicationStatuses, RedirectTargetURI, RegistrationID)
  - `gateway_network` (RegistrationID)
  - `http_request` (11 fields including Fraud*, WebAssets*, WorkerScriptName)
  - `network_analytics` (DNSQueryName, DNSQueryType, PFPCustomTag)
  - `network_session` (InitialOriginIP, RegistrationID, ResolvedFQDN, SNI)
  - `workers_trace` (CPUTimeMs, WallTimeMs)
@brijesh-elastic
cloudflare_logpush: enhance ingestion logic with typed conversions an…
590f9c5 
…d use of dissect processors (elastic#18952)

- Replace `rename` with typed `convert` processors for `ip`, `long`, and `boolean` fields.
  This validates values against `fields.yml` mappings and prevents off-type indexing.
- Replace `grok` with `dissect` for simple delimiter-based patterns.
@brijesh-elastic
cloudflare_logpush: add a tag key to each processor (elastic#18953)
6665cf5 
Run `elastic-package modify -m pipeline-tag` to add a tag key to each processor.
@brijesh-elastic
cloudflare_logpush: standardize the error message format and use the …
a322f7d 
…latest null-removal script (elastic#19003)

- Standardize the `error.message` format and implement the latest null-removal script;
  additionally, add `on_failure` handlers to all script processors.
- Remove `ignore_failure: true` from JSON processors and append processors for `related.*` fields.
- Utilize custom fields instead of standard ECS fields within the `related.*` append processors
  to improve maintainability and consistency.
- Apply `ignore_empty_value: true` and `ignore_missing: true` across processors, and
  refine `if` conditions to ensure the ingest pipeline is fully null-safe.
@brijesh-elastic
cloudflare_logpush: Improve ECS mapping across multiple data streams (e…
77eec5c 
…lastic#19043)
@brijesh-elastic
cloudflare_logpush: simplify timestamp normalization across all data …
66491d2 
…streams (elastic#19085)

Factor the string-to-number conversion out of each data stream's
Painless timestamp script into a preceding convert processor. This
leaves the script responsible only for magnitude adjustment
(nanoseconds to milliseconds or seconds to milliseconds) and lets
it assume its input is already numeric.

The previous script performed type checking, string parsing, and
magnitude adjustment in a single try/catch block that silently
swallowed all exceptions. With the conversion handled by a separate
processor, the script's on_failure handler now surfaces errors
properly via error.message.
@brijesh-elastic
cloudflare_logpush: normalize severity handling in CASB data stream (e…
3e72507 
…lastic#19117)
@brijesh-elastic
[cloudflare_logpush] Update changelog entries (elastic#19164)
ae2c146
@brijesh-elastic
add the changes from elastic#19082, and fix conflicts (elastic#19181)
51a27f9
@brijesh-elastic
Merge branch 'main' into cloudflare_logpush-fix_conflicts
be6933a
@brijesh-elastic brijesh-elastic self-assigned this May 27, 2026
@brijesh-elastic brijesh-elastic requested review from a team as code owners May 27, 2026 10:42
@brijesh-elastic brijesh-elastic added documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. enhancement New feature or request Integration:cloudflare_logpush Cloudflare Logpush Category: Integration quality Category: Quality used for SI planning Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] Team:SDE-Crest Crest developers on the Security Integrations team [elastic/sit-crest-contractors] labels May 27, 2026
@infra-vault-gh-plugin-prod
Copy link
Copy Markdown

infra-vault-gh-plugin-prod Bot commented May 27, 2026

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 27, 2026

Vale Linting Results

Summary: 136 warnings, 7 suggestions found

⚠️ Warnings (136)
File Line Rule Message
packages/cloudflare_logpush/docs/README.md 79 Elastic.DirectionalLanguage Don't use directional language. Use 'in the following section' instead of 'listed below'.
packages/cloudflare_logpush/docs/README.md 105 Elastic.DirectionalLanguage Don't use directional language. Use 'the following element' instead of 'the steps below'.
packages/cloudflare_logpush/docs/README.md 108 Elastic.DontUse Don't use 'please'.
packages/cloudflare_logpush/docs/README.md 112 Elastic.Latinisms Latin terms and abbreviations are a common source of confusion. Use 'for example' instead of 'e.g'.
packages/cloudflare_logpush/docs/README.md 131 Elastic.DontUse Don't use 'just'.
packages/cloudflare_logpush/docs/README.md 151 Elastic.DontUse Don't use 'Please'.
packages/cloudflare_logpush/docs/README.md 152 Elastic.DontUse Don't use 'please'.
packages/cloudflare_logpush/docs/README.md 348 Elastic.Latinisms Latin terms and abbreviations are a common source of confusion. Use 'and so on' instead of 'etc'.
packages/cloudflare_logpush/docs/README.md 348 Elastic.DirectionalLanguage Don't use directional language. Use 'earlier on this page' instead of 'noted above'.
packages/cloudflare_logpush/docs/README.md 349 Elastic.DirectionalLanguage Don't use directional language. Use 'earlier on this page' instead of 'noted above'.
packages/cloudflare_logpush/docs/README.md 350 Elastic.QuotesPunctuation Place punctuation inside closing quotation marks.
packages/cloudflare_logpush/docs/README.md 351 Elastic.Latinisms Latin terms and abbreviations are a common source of confusion. Use 'for example' instead of 'e.g'.
packages/cloudflare_logpush/docs/README.md 352 Elastic.Latinisms Latin terms and abbreviations are a common source of confusion. Use 'for example' instead of 'e.g'.
packages/cloudflare_logpush/docs/README.md 501 Elastic.Latinisms Latin terms and abbreviations are a common source of confusion. Use 'and so on' instead of 'etc'.
packages/cloudflare_logpush/docs/README.md 501 Elastic.DirectionalLanguage Don't use directional language. Use 'earlier on this page' instead of 'noted above'.
packages/cloudflare_logpush/docs/README.md 502 Elastic.DirectionalLanguage Don't use directional language. Use 'earlier on this page' instead of 'noted above'.
packages/cloudflare_logpush/docs/README.md 503 Elastic.QuotesPunctuation Place punctuation inside closing quotation marks.
packages/cloudflare_logpush/docs/README.md 504 Elastic.Latinisms Latin terms and abbreviations are a common source of confusion. Use 'for example' instead of 'e.g'.
packages/cloudflare_logpush/docs/README.md 505 Elastic.Latinisms Latin terms and abbreviations are a common source of confusion. Use 'for example' instead of 'e.g'.
packages/cloudflare_logpush/docs/README.md 674 Elastic.Latinisms Latin terms and abbreviations are a common source of confusion. Use 'and so on' instead of 'etc'.
packages/cloudflare_logpush/docs/README.md 674 Elastic.DirectionalLanguage Don't use directional language. Use 'earlier on this page' instead of 'noted above'.
packages/cloudflare_logpush/docs/README.md 675 Elastic.DirectionalLanguage Don't use directional language. Use 'earlier on this page' instead of 'noted above'.
packages/cloudflare_logpush/docs/README.md 676 Elastic.QuotesPunctuation Place punctuation inside closing quotation marks.
packages/cloudflare_logpush/docs/README.md 677 Elastic.Latinisms Latin terms and abbreviations are a common source of confusion. Use 'for example' instead of 'e.g'.
packages/cloudflare_logpush/docs/README.md 678 Elastic.Latinisms Latin terms and abbreviations are a common source of confusion. Use 'for example' instead of 'e.g'.
packages/cloudflare_logpush/docs/README.md 854 Elastic.Latinisms Latin terms and abbreviations are a common source of confusion. Use 'and so on' instead of 'etc'.
packages/cloudflare_logpush/docs/README.md 854 Elastic.DirectionalLanguage Don't use directional language. Use 'earlier on this page' instead of 'noted above'.
packages/cloudflare_logpush/docs/README.md 855 Elastic.DirectionalLanguage Don't use directional language. Use 'earlier on this page' instead of 'noted above'.
packages/cloudflare_logpush/docs/README.md 856 Elastic.QuotesPunctuation Place punctuation inside closing quotation marks.
packages/cloudflare_logpush/docs/README.md 857 Elastic.Latinisms Latin terms and abbreviations are a common source of confusion. Use 'for example' instead of 'e.g'.
packages/cloudflare_logpush/docs/README.md 858 Elastic.Latinisms Latin terms and abbreviations are a common source of confusion. Use 'for example' instead of 'e.g'.
packages/cloudflare_logpush/docs/README.md 959 Elastic.Latinisms Latin terms and abbreviations are a common source of confusion. Use 'that is' instead of 'i.e'.
packages/cloudflare_logpush/docs/README.md 961 Elastic.Latinisms Latin terms and abbreviations are a common source of confusion. Use 'and so on' instead of 'etc'.
packages/cloudflare_logpush/docs/README.md 961 Elastic.DirectionalLanguage Don't use directional language. Use 'earlier on this page' instead of 'noted above'.
packages/cloudflare_logpush/docs/README.md 962 Elastic.DirectionalLanguage Don't use directional language. Use 'earlier on this page' instead of 'noted above'.
packages/cloudflare_logpush/docs/README.md 963 Elastic.QuotesPunctuation Place punctuation inside closing quotation marks.
packages/cloudflare_logpush/docs/README.md 964 Elastic.Latinisms Latin terms and abbreviations are a common source of confusion. Use 'for example' instead of 'e.g'.
packages/cloudflare_logpush/docs/README.md 965 Elastic.Latinisms Latin terms and abbreviations are a common source of confusion. Use 'for example' instead of 'e.g'.
packages/cloudflare_logpush/docs/README.md 1092 Elastic.Latinisms Latin terms and abbreviations are a common source of confusion. Use 'and so on' instead of 'etc'.
packages/cloudflare_logpush/docs/README.md 1092 Elastic.DirectionalLanguage Don't use directional language. Use 'earlier on this page' instead of 'noted above'.
packages/cloudflare_logpush/docs/README.md 1093 Elastic.DirectionalLanguage Don't use directional language. Use 'earlier on this page' instead of 'noted above'.
packages/cloudflare_logpush/docs/README.md 1094 Elastic.QuotesPunctuation Place punctuation inside closing quotation marks.
packages/cloudflare_logpush/docs/README.md 1095 Elastic.Latinisms Latin terms and abbreviations are a common source of confusion. Use 'for example' instead of 'e.g'.
packages/cloudflare_logpush/docs/README.md 1096 Elastic.Latinisms Latin terms and abbreviations are a common source of confusion. Use 'for example' instead of 'e.g'.
packages/cloudflare_logpush/docs/README.md 1273 Elastic.Latinisms Latin terms and abbreviations are a common source of confusion. Use 'and so on' instead of 'etc'.
packages/cloudflare_logpush/docs/README.md 1273 Elastic.DirectionalLanguage Don't use directional language. Use 'earlier on this page' instead of 'noted above'.
packages/cloudflare_logpush/docs/README.md 1274 Elastic.DirectionalLanguage Don't use directional language. Use 'earlier on this page' instead of 'noted above'.
packages/cloudflare_logpush/docs/README.md 1275 Elastic.QuotesPunctuation Place punctuation inside closing quotation marks.
packages/cloudflare_logpush/docs/README.md 1276 Elastic.Latinisms Latin terms and abbreviations are a common source of confusion. Use 'for example' instead of 'e.g'.
packages/cloudflare_logpush/docs/README.md 1277 Elastic.Latinisms Latin terms and abbreviations are a common source of confusion. Use 'for example' instead of 'e.g'.
packages/cloudflare_logpush/docs/README.md 1535 Elastic.Latinisms Latin terms and abbreviations are a common source of confusion. Use 'and so on' instead of 'etc'.
packages/cloudflare_logpush/docs/README.md 1535 Elastic.DirectionalLanguage Don't use directional language. Use 'earlier on this page' instead of 'noted above'.
packages/cloudflare_logpush/docs/README.md 1536 Elastic.DirectionalLanguage Don't use directional language. Use 'earlier on this page' instead of 'noted above'.
packages/cloudflare_logpush/docs/README.md 1537 Elastic.QuotesPunctuation Place punctuation inside closing quotation marks.
packages/cloudflare_logpush/docs/README.md 1538 Elastic.Latinisms Latin terms and abbreviations are a common source of confusion. Use 'for example' instead of 'e.g'.
packages/cloudflare_logpush/docs/README.md 1539 Elastic.Latinisms Latin terms and abbreviations are a common source of confusion. Use 'for example' instead of 'e.g'.
packages/cloudflare_logpush/docs/README.md 1767 Elastic.Latinisms Latin terms and abbreviations are a common source of confusion. Use 'and so on' instead of 'etc'.
packages/cloudflare_logpush/docs/README.md 1767 Elastic.DirectionalLanguage Don't use directional language. Use 'earlier on this page' instead of 'noted above'.
packages/cloudflare_logpush/docs/README.md 1768 Elastic.DirectionalLanguage Don't use directional language. Use 'earlier on this page' instead of 'noted above'.
packages/cloudflare_logpush/docs/README.md 1769 Elastic.QuotesPunctuation Place punctuation inside closing quotation marks.
packages/cloudflare_logpush/docs/README.md 1770 Elastic.Latinisms Latin terms and abbreviations are a common source of confusion. Use 'for example' instead of 'e.g'.
packages/cloudflare_logpush/docs/README.md 1771 Elastic.Latinisms Latin terms and abbreviations are a common source of confusion. Use 'for example' instead of 'e.g'.
packages/cloudflare_logpush/docs/README.md 2110 Elastic.Latinisms Latin terms and abbreviations are a common source of confusion. Use 'and so on' instead of 'etc'.
packages/cloudflare_logpush/docs/README.md 2110 Elastic.DirectionalLanguage Don't use directional language. Use 'earlier on this page' instead of 'noted above'.
packages/cloudflare_logpush/docs/README.md 2111 Elastic.DirectionalLanguage Don't use directional language. Use 'earlier on this page' instead of 'noted above'.
packages/cloudflare_logpush/docs/README.md 2112 Elastic.QuotesPunctuation Place punctuation inside closing quotation marks.
packages/cloudflare_logpush/docs/README.md 2113 Elastic.Latinisms Latin terms and abbreviations are a common source of confusion. Use 'for example' instead of 'e.g'.
packages/cloudflare_logpush/docs/README.md 2114 Elastic.Latinisms Latin terms and abbreviations are a common source of confusion. Use 'for example' instead of 'e.g'.
packages/cloudflare_logpush/docs/README.md 2366 Elastic.Latinisms Latin terms and abbreviations are a common source of confusion. Use 'for example' instead of 'eg'.
packages/cloudflare_logpush/docs/README.md 2411 Elastic.Latinisms Latin terms and abbreviations are a common source of confusion. Use 'and so on' instead of 'etc'.
packages/cloudflare_logpush/docs/README.md 2411 Elastic.DirectionalLanguage Don't use directional language. Use 'earlier on this page' instead of 'noted above'.
packages/cloudflare_logpush/docs/README.md 2412 Elastic.DirectionalLanguage Don't use directional language. Use 'earlier on this page' instead of 'noted above'.
packages/cloudflare_logpush/docs/README.md 2413 Elastic.QuotesPunctuation Place punctuation inside closing quotation marks.
packages/cloudflare_logpush/docs/README.md 2414 Elastic.Latinisms Latin terms and abbreviations are a common source of confusion. Use 'for example' instead of 'e.g'.
packages/cloudflare_logpush/docs/README.md 2415 Elastic.Latinisms Latin terms and abbreviations are a common source of confusion. Use 'for example' instead of 'e.g'.
packages/cloudflare_logpush/docs/README.md 2636 Elastic.Latinisms Latin terms and abbreviations are a common source of confusion. Use 'and so on' instead of 'etc'.
packages/cloudflare_logpush/docs/README.md 2636 Elastic.DirectionalLanguage Don't use directional language. Use 'earlier on this page' instead of 'noted above'.
packages/cloudflare_logpush/docs/README.md 2637 Elastic.DirectionalLanguage Don't use directional language. Use 'earlier on this page' instead of 'noted above'.
packages/cloudflare_logpush/docs/README.md 2638 Elastic.QuotesPunctuation Place punctuation inside closing quotation marks.
packages/cloudflare_logpush/docs/README.md 2639 Elastic.Latinisms Latin terms and abbreviations are a common source of confusion. Use 'for example' instead of 'e.g'.
packages/cloudflare_logpush/docs/README.md 2640 Elastic.Latinisms Latin terms and abbreviations are a common source of confusion. Use 'for example' instead of 'e.g'.
packages/cloudflare_logpush/docs/README.md 3093 Elastic.Latinisms Latin terms and abbreviations are a common source of confusion. Use 'and so on' instead of 'etc'.
packages/cloudflare_logpush/docs/README.md 3093 Elastic.DirectionalLanguage Don't use directional language. Use 'earlier on this page' instead of 'noted above'.
packages/cloudflare_logpush/docs/README.md 3094 Elastic.DirectionalLanguage Don't use directional language. Use 'earlier on this page' instead of 'noted above'.
packages/cloudflare_logpush/docs/README.md 3095 Elastic.QuotesPunctuation Place punctuation inside closing quotation marks.
packages/cloudflare_logpush/docs/README.md 3096 Elastic.Latinisms Latin terms and abbreviations are a common source of confusion. Use 'for example' instead of 'e.g'.
packages/cloudflare_logpush/docs/README.md 3097 Elastic.Latinisms Latin terms and abbreviations are a common source of confusion. Use 'for example' instead of 'e.g'.
packages/cloudflare_logpush/docs/README.md 3260 Elastic.Latinisms Latin terms and abbreviations are a common source of confusion. Use 'and so on' instead of 'etc'.
packages/cloudflare_logpush/docs/README.md 3260 Elastic.DirectionalLanguage Don't use directional language. Use 'earlier on this page' instead of 'noted above'.
packages/cloudflare_logpush/docs/README.md 3261 Elastic.DirectionalLanguage Don't use directional language. Use 'earlier on this page' instead of 'noted above'.
packages/cloudflare_logpush/docs/README.md 3262 Elastic.QuotesPunctuation Place punctuation inside closing quotation marks.
packages/cloudflare_logpush/docs/README.md 3263 Elastic.Latinisms Latin terms and abbreviations are a common source of confusion. Use 'for example' instead of 'e.g'.
packages/cloudflare_logpush/docs/README.md 3264 Elastic.Latinisms Latin terms and abbreviations are a common source of confusion. Use 'for example' instead of 'e.g'.
packages/cloudflare_logpush/docs/README.md 3385 Elastic.Latinisms Latin terms and abbreviations are a common source of confusion. Use 'and so on' instead of 'etc'.
packages/cloudflare_logpush/docs/README.md 3385 Elastic.DirectionalLanguage Don't use directional language. Use 'earlier on this page' instead of 'noted above'.
packages/cloudflare_logpush/docs/README.md 3386 Elastic.DirectionalLanguage Don't use directional language. Use 'earlier on this page' instead of 'noted above'.
packages/cloudflare_logpush/docs/README.md 3387 Elastic.QuotesPunctuation Place punctuation inside closing quotation marks.
packages/cloudflare_logpush/docs/README.md 3388 Elastic.Latinisms Latin terms and abbreviations are a common source of confusion. Use 'for example' instead of 'e.g'.
packages/cloudflare_logpush/docs/README.md 3389 Elastic.Latinisms Latin terms and abbreviations are a common source of confusion. Use 'for example' instead of 'e.g'.
packages/cloudflare_logpush/docs/README.md 3747 Elastic.BritishSpellings Use American English spelling 'acknowledgment' instead of British English 'Acknowledgement'.
packages/cloudflare_logpush/docs/README.md 3766 Elastic.Latinisms Latin terms and abbreviations are a common source of confusion. Use 'and so on' instead of 'etc'.
packages/cloudflare_logpush/docs/README.md 3766 Elastic.DirectionalLanguage Don't use directional language. Use 'earlier on this page' instead of 'noted above'.
packages/cloudflare_logpush/docs/README.md 3767 Elastic.DirectionalLanguage Don't use directional language. Use 'earlier on this page' instead of 'noted above'.
packages/cloudflare_logpush/docs/README.md 3768 Elastic.QuotesPunctuation Place punctuation inside closing quotation marks.
packages/cloudflare_logpush/docs/README.md 3769 Elastic.Latinisms Latin terms and abbreviations are a common source of confusion. Use 'for example' instead of 'e.g'.
packages/cloudflare_logpush/docs/README.md 3770 Elastic.Latinisms Latin terms and abbreviations are a common source of confusion. Use 'for example' instead of 'e.g'.
packages/cloudflare_logpush/docs/README.md 4052 Elastic.Latinisms Latin terms and abbreviations are a common source of confusion. Use 'and so on' instead of 'etc'.
packages/cloudflare_logpush/docs/README.md 4052 Elastic.DirectionalLanguage Don't use directional language. Use 'earlier on this page' instead of 'noted above'.
packages/cloudflare_logpush/docs/README.md 4053 Elastic.DirectionalLanguage Don't use directional language. Use 'earlier on this page' instead of 'noted above'.
packages/cloudflare_logpush/docs/README.md 4054 Elastic.QuotesPunctuation Place punctuation inside closing quotation marks.
packages/cloudflare_logpush/docs/README.md 4055 Elastic.Latinisms Latin terms and abbreviations are a common source of confusion. Use 'for example' instead of 'e.g'.
packages/cloudflare_logpush/docs/README.md 4056 Elastic.Latinisms Latin terms and abbreviations are a common source of confusion. Use 'for example' instead of 'e.g'.
packages/cloudflare_logpush/docs/README.md 4177 Elastic.Latinisms Latin terms and abbreviations are a common source of confusion. Use 'and so on' instead of 'etc'.
packages/cloudflare_logpush/docs/README.md 4177 Elastic.DirectionalLanguage Don't use directional language. Use 'earlier on this page' instead of 'noted above'.
packages/cloudflare_logpush/docs/README.md 4178 Elastic.DirectionalLanguage Don't use directional language. Use 'earlier on this page' instead of 'noted above'.
packages/cloudflare_logpush/docs/README.md 4179 Elastic.QuotesPunctuation Place punctuation inside closing quotation marks.
packages/cloudflare_logpush/docs/README.md 4180 Elastic.Latinisms Latin terms and abbreviations are a common source of confusion. Use 'for example' instead of 'e.g'.
packages/cloudflare_logpush/docs/README.md 4181 Elastic.Latinisms Latin terms and abbreviations are a common source of confusion. Use 'for example' instead of 'e.g'.
packages/cloudflare_logpush/docs/README.md 4389 Elastic.Latinisms Latin terms and abbreviations are a common source of confusion. Use 'and so on' instead of 'etc'.
packages/cloudflare_logpush/docs/README.md 4389 Elastic.DirectionalLanguage Don't use directional language. Use 'earlier on this page' instead of 'noted above'.
packages/cloudflare_logpush/docs/README.md 4390 Elastic.DirectionalLanguage Don't use directional language. Use 'earlier on this page' instead of 'noted above'.
packages/cloudflare_logpush/docs/README.md 4391 Elastic.QuotesPunctuation Place punctuation inside closing quotation marks.
packages/cloudflare_logpush/docs/README.md 4392 Elastic.Latinisms Latin terms and abbreviations are a common source of confusion. Use 'for example' instead of 'e.g'.
packages/cloudflare_logpush/docs/README.md 4393 Elastic.Latinisms Latin terms and abbreviations are a common source of confusion. Use 'for example' instead of 'e.g'.
packages/cloudflare_logpush/docs/README.md 4602 Elastic.Latinisms Latin terms and abbreviations are a common source of confusion. Use 'and so on' instead of 'etc'.
packages/cloudflare_logpush/docs/README.md 4602 Elastic.DirectionalLanguage Don't use directional language. Use 'earlier on this page' instead of 'noted above'.
packages/cloudflare_logpush/docs/README.md 4603 Elastic.DirectionalLanguage Don't use directional language. Use 'earlier on this page' instead of 'noted above'.
packages/cloudflare_logpush/docs/README.md 4604 Elastic.QuotesPunctuation Place punctuation inside closing quotation marks.
packages/cloudflare_logpush/docs/README.md 4605 Elastic.Latinisms Latin terms and abbreviations are a common source of confusion. Use 'for example' instead of 'e.g'.
packages/cloudflare_logpush/docs/README.md 4606 Elastic.Latinisms Latin terms and abbreviations are a common source of confusion. Use 'for example' instead of 'e.g'.
packages/cloudflare_logpush/docs/README.md 4755 Elastic.Latinisms Latin terms and abbreviations are a common source of confusion. Use 'and so on' instead of 'etc'.
packages/cloudflare_logpush/docs/README.md 4755 Elastic.DirectionalLanguage Don't use directional language. Use 'earlier on this page' instead of 'noted above'.
packages/cloudflare_logpush/docs/README.md 4756 Elastic.DirectionalLanguage Don't use directional language. Use 'earlier on this page' instead of 'noted above'.
packages/cloudflare_logpush/docs/README.md 4757 Elastic.QuotesPunctuation Place punctuation inside closing quotation marks.
packages/cloudflare_logpush/docs/README.md 4758 Elastic.Latinisms Latin terms and abbreviations are a common source of confusion. Use 'for example' instead of 'e.g'.
packages/cloudflare_logpush/docs/README.md 4759 Elastic.Latinisms Latin terms and abbreviations are a common source of confusion. Use 'for example' instead of 'e.g'.
💡 Suggestions (7)
File Line Rule Message
packages/cloudflare_logpush/docs/README.md 5 Elastic.Semicolons Use semicolons judiciously.
packages/cloudflare_logpush/docs/README.md 5 Elastic.Semicolons Use semicolons judiciously.
packages/cloudflare_logpush/docs/README.md 5 Elastic.Semicolons Use semicolons judiciously.
packages/cloudflare_logpush/docs/README.md 665 Elastic.WordChoice Consider using 'can, might' instead of 'may', unless the term is in the UI.
packages/cloudflare_logpush/docs/README.md 1731 Elastic.WordChoice Consider using 'top-level' instead of 'first-class', unless the term is in the UI.
packages/cloudflare_logpush/docs/README.md 2377 Elastic.WordChoice Consider using 'can, might' instead of 'may', unless the term is in the UI.
packages/cloudflare_logpush/docs/README.md 3089 Elastic.Wordiness Consider using 'whether' instead of 'Whether or not'.

The Vale linter checks documentation changes against the Elastic Docs style guide.

To use Vale locally or report issues, refer to Elastic style guide for Vale.

kcreddy
kcreddy reviewed May 27, 2026
View reviewed changes
Comment thread packages/cloudflare_logpush/changelog.yml
Comment on lines +4 to +6
- description: Ingest pipeline improvements.
type: enhancement
link: https://github.com/elastic/integrations/pull/19163
Copy link
Copy Markdown
Contributor

@kcreddy kcreddy May 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you mean 19234 this PR? 19163 is going to be closed.

I'm not sure if we want to callout this PR too - because its just a consolidation of all the below ones.
@efd6 WDYT?

@andrewkroh andrewkroh removed documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. Integration:cloudflare_logpush Cloudflare Logpush labels May 27, 2026
@elasticmachine
Copy link
Copy Markdown

elasticmachine commented May 27, 2026

💚 Build Succeeded

cc @brijesh-elastic

@andrewkroh andrewkroh added documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. Integration:cloudflare_logpush Cloudflare Logpush labels May 27, 2026
vera-review-bot[bot]
vera-review-bot Bot reviewed May 27, 2026
View reviewed changes
Comment thread ...ages/cloudflare_logpush/data_stream/access_request/elasticsearch/ingest_pipeline/default.yml
target_field: cloudflare_logpush.access_request.country
ignore_missing: true
- set:
tag: set_client_geo_country_name_cc252be1
Copy link
Copy Markdown

@vera-review-bot vera-review-bot Bot May 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟡 MEDIUM data_stream/access_request/.../default.yml:149

client.geo.country_name set from lowercase ISO code

The set processor copies cloudflare_logpush.access_request.country (a lowercase ISO-3166 alpha-2 code such as "us" per the test fixture test-pipeline-access-request.log) directly into client.geo.country_name. The subsequent geoip processor at line 183 uses default override=true and silently masks this for IPs MaxMind can resolve, but for private/unresolvable IPs the field is left holding a lowercase ISO code instead of a human-readable name. client.geo.country_iso_code is the correct ECS target for an ISO code.

Recommendation:

Either drop the manual set and rely on geoip alone, or normalize the value into country_iso_code:

- uppercase:
    tag: uppercase_country_iso_code_from_cloudflare_logpush_access_request_country
    field: cloudflare_logpush.access_request.country
    target_field: client.geo.country_iso_code
    ignore_missing: true

Then remove the existing set that targets client.geo.country_name.

🤖 AI-Generated Review | Vera Review Bot

⚠️ Automated review — verify suggestions before applying.

Comment thread packages/cloudflare_logpush/data_stream/gateway_http/elasticsearch/ingest_pipeline/default.yml
target_field: cloudflare_logpush.gateway_http.proxy_endpoint
ignore_missing: true
- convert:
tag: convert_json_Quarantined_to_cloudflare_logpush_gateway_http_quarantined_f31dfd9b
Copy link
Copy Markdown

@vera-review-bot vera-review-bot Bot May 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟡 MEDIUM data_stream/gateway_http/.../default.yml:498

convert type: boolean writes to keyword-declared field (gateway_http.quarantined)

The convert processor sets cloudflare_logpush.gateway_http.quarantined with type: boolean, but data_stream/gateway_http/fields/fields.yml:115-117 declares quarantined as type: keyword. Elasticsearch coerces the boolean to the string "true"/"false" on indexing, which breaks boolean queries (e.g., quarantined: true) and is inconsistent with the sibling isolated field declared type: boolean.

Recommendation:

Align the field declaration with the convert type. Update fields/fields.yml:115-117:

- name: quarantined
  type: boolean
  description: If the request content was quarantined.

🤖 AI-Generated Review | Vera Review Bot

⚠️ Automated review — verify suggestions before applying.

Comment thread ...ages/cloudflare_logpush/data_stream/access_request/elasticsearch/ingest_pipeline/default.yml
field: error.message
value: |-
Processor "{{{ _ingest.on_failure_processor_type }}}" in pipeline "{{{ _ingest.on_failure_pipeline }}}" failed with message "{{{ _ingest.on_failure_message }}}"
value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
Copy link
Copy Markdown

@vera-review-bot vera-review-bot Bot May 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔵 LOW data_stream/access_request/.../default.yml:343

Global on_failure block partially tagged (all 21 data streams)

The PR added tags to the set event.kind processor inside each pipeline's top-level on_failure block, but the two surrounding append processors (one for error.message, one for tags) remain untagged. This is inconsistent with the otherwise comprehensive tagging applied across the rest of each pipeline. The same partial-tagging pattern is present in all 21 data-stream pipelines under data_stream/*/elasticsearch/ingest_pipeline/default.yml.

Recommendation:

Add tag: keys to the two append processors in the global on_failure block of every data-stream pipeline:

on_failure:
  - append:
      tag: append_pipeline_error_message
      field: error.message
      value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
  - set:
      tag: set_pipeline_error_to_event_kind
      field: event.kind
      value: pipeline_error
  - append:
      tag: append_preserve_original_event_tag
      field: tags
      value: preserve_original_event
      allow_duplicates: false

🤖 AI-Generated Review | Vera Review Bot

⚠️ Automated review — verify suggestions before applying.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kcreddy kcreddy kcreddy left review comments

+1 more reviewer

@vera-review-bot vera-review-bot[bot] vera-review-bot[bot] left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

@brijesh-elastic brijesh-elastic

Labels

Category: Integration quality Category: Quality used for SI planning documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. enhancement New feature or request Integration:cloudflare_logpush Cloudflare Logpush Team:SDE-Crest Crest developers on the Security Integrations team [elastic/sit-crest-contractors] Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations]

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@brijesh-elastic @elasticmachine @kcreddy @andrewkroh