From 9f283945ad682345e26065c10d912908dc61ee4d Mon Sep 17 00:00:00 2001
From: Dan Kortschak <90160302+efd6@users.noreply.github.com>
Date: Thu, 20 Jul 2023 13:45:15 +0930
Subject: [PATCH] x-pack/filebeat/processors/decode_def/cef: relax size
 constraint on network bytes (#36108)

Relax the width of in and out fields from integer to long to allow
values greater beyond 2GiB.
---
 CHANGELOG.next.asciidoc                               | 1 +
 x-pack/filebeat/processors/decode_cef/cef/cef_test.go | 6 +++++-
 x-pack/filebeat/processors/decode_cef/cef/keys.go     | 4 ++--
 3 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
index 8b01cf6c662..ff3484eda93 100644
--- a/CHANGELOG.next.asciidoc
+++ b/CHANGELOG.next.asciidoc
@@ -350,6 +350,7 @@ automatic splitting at root level, if root level element is an array. {pull}3415
 - Add `clean_session` configuration setting for MQTT input.  {pull}35806[16204]
 - Add fingerprint mode for the filestream scanner and new file identity based on it {issue}34419[34419] {pull}35734[35734]
 - Add file system metadata to events ingested via filestream {issue}35801[35801] {pull}36065[36065]
+- Allow parsing bytes in and bytes out as long integer in CEF processor. {issue}36100[36100] {pull}36108[36108]
 
 *Auditbeat*
    - Migration of system/package module storage from gob encoding to flatbuffer encoding in bolt db. {pull}34817[34817]
diff --git a/x-pack/filebeat/processors/decode_cef/cef/cef_test.go b/x-pack/filebeat/processors/decode_cef/cef/cef_test.go
index 297642b559f..cc4a4ed786c 100644
--- a/x-pack/filebeat/processors/decode_cef/cef/cef_test.go
+++ b/x-pack/filebeat/processors/decode_cef/cef/cef_test.go
@@ -20,7 +20,7 @@ import (
 var generateCorpus = flag.Bool("corpus", false, "generate fuzz corpus from test cases")
 
 const (
-	standardMessage = `CEF:26|security|threatmanager|1.0|100|trojan successfully stopped|10|src=10.0.0.192 dst=12.121.122.82 spt=1232 eventId=1`
+	standardMessage = `CEF:26|security|threatmanager|1.0|100|trojan successfully stopped|10|src=10.0.0.192 dst=12.121.122.82 spt=1232 eventId=1 in=4294967296 out=4294967296`
 
 	headerOnly = `CEF:26|security|threatmanager|1.0|100|trojan successfully stopped|10|`
 
@@ -124,6 +124,8 @@ func TestEventUnpack(t *testing.T) {
 			"dst":     IPField("12.121.122.82"),
 			"spt":     IntegerField(1232),
 			"eventId": LongField(1),
+			"in":      LongField(4294967296),
+			"out":     LongField(4294967296),
 		}, e.Extensions)
 	})
 
@@ -449,6 +451,8 @@ func TestEventUnpackWithFullExtensionNames(t *testing.T) {
 		"destinationAddress": IPField("12.121.122.82"),
 		"sourcePort":         IntegerField(1232),
 		"eventId":            LongField(1),
+		"bytesIn":            LongField(4294967296),
+		"bytesOut":           LongField(4294967296),
 	}, e.Extensions)
 }
 
diff --git a/x-pack/filebeat/processors/decode_cef/cef/keys.go b/x-pack/filebeat/processors/decode_cef/cef/keys.go
index 7ea0f00d446..43854a304c0 100644
--- a/x-pack/filebeat/processors/decode_cef/cef/keys.go
+++ b/x-pack/filebeat/processors/decode_cef/cef/keys.go
@@ -90,11 +90,11 @@ var extensionMapping = map[string]mappedField{
 	},
 	"in": {
 		Target: "bytesIn",
-		Type:   IntegerType,
+		Type:   LongType,
 	},
 	"out": {
 		Target: "bytesOut",
-		Type:   IntegerType,
+		Type:   LongType,
 	},
 	"customerExternalID": {
 		Target: "customerExternalID",