[cloudflare_logpush] fix several ingest pipeline and field definition bugs across multiple data streams

[brijesh-elastic]

Proposed commit message

cloudflare_logpush: fix several ingest pipeline and field definition bugs across multiple data streams

Bugfixes:
- Fix incorrect field-path references and PascalCase mismatches with Cloudflare JSON keys.
- Fix `dns` and `gateway_dns` to populate `related.hosts` and `related.ip` from the correct
  package fields.
- Fix `gateway_network` GeoIP enrichment to tolerate missing source and destination IPs.
- Fix `network_analytics` TCP SACK blocks split ordering and empty-string handling.
- Fix swapped field descriptions in `firewall_event` and `http_request`.
- Remove orphaned `page_shield_events.page` field that was never populated.

Checklist

• I have reviewed tips for building integrations and this pull request is aligned with them.
• I have verified that all data streams collect metrics or logs.
• I have added an entry to my package's changelog.yml file.
• I have verified that Kibana version constraints are current according to guidelines.
• I have verified that any added dashboard complies with Kibana's Dashboard good practices

How to test this PR locally

• Clone integrations repo.
• Install elastic package locally.
• Start elastic stack using elastic-package.
• Move to integrations/packages/cloudflare_logpush directory.
• Run the following command to run tests.

elastic-package test -v

[infra-vault-gh-plugin-prod]

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

[github-actions]

Vale Linting Results

Summary: 16 warnings, 8 suggestions found

⚠️ Warnings (16)

File	Line	Rule	Message
packages/cloudflare_logpush/docs/README.md	108	Elastic.DontUse	Don't use 'please'.
packages/cloudflare_logpush/docs/README.md	112	Elastic.Latinisms	Latin terms and abbreviations are a common source of confusion. Use 'for example' instead of 'e.g'.
packages/cloudflare_logpush/docs/README.md	119	Elastic.Latinisms	Latin terms and abbreviations are a common source of confusion. Use 'using' instead of 'via'.
packages/cloudflare_logpush/docs/README.md	131	Elastic.DontUse	Don't use 'just'.
packages/cloudflare_logpush/docs/README.md	139	Elastic.Latinisms	Latin terms and abbreviations are a common source of confusion. Use 'using' instead of 'via'.
packages/cloudflare_logpush/docs/README.md	150	Elastic.Latinisms	Latin terms and abbreviations are a common source of confusion. Use 'using' instead of 'via'.
packages/cloudflare_logpush/docs/README.md	151	Elastic.DontUse	Don't use 'Please'.
packages/cloudflare_logpush/docs/README.md	152	Elastic.DontUse	Don't use 'please'.
packages/cloudflare_logpush/docs/README.md	192	Elastic.Latinisms	Latin terms and abbreviations are a common source of confusion. Use 'using' instead of 'via'.
packages/cloudflare_logpush/docs/README.md	965	Elastic.Latinisms	Latin terms and abbreviations are a common source of confusion. Use 'that is' instead of 'i.e'.
packages/cloudflare_logpush/docs/README.md	1259	Elastic.Latinisms	Latin terms and abbreviations are a common source of confusion. Use 'using' instead of 'via'.
packages/cloudflare_logpush/docs/README.md	2306	Elastic.Latinisms	Latin terms and abbreviations are a common source of confusion. Use 'for example' instead of 'eg'.
packages/cloudflare_logpush/docs/README.md	2333	Elastic.Latinisms	Latin terms and abbreviations are a common source of confusion. Use 'using' instead of 'via'.
packages/cloudflare_logpush/docs/README.md	2563	Elastic.Latinisms	Latin terms and abbreviations are a common source of confusion. Use 'using' instead of 'via'.
packages/cloudflare_logpush/docs/README.md	3628	Elastic.BritishSpellings	Use American English spelling 'acknowledgment' instead of British English 'Acknowledgement'.
packages/cloudflare_logpush/docs/README.md	3906	Elastic.Latinisms	Latin terms and abbreviations are a common source of confusion. Use 'using' instead of 'via'.

💡 Suggestions (8)

File	Line	Rule	Message
packages/cloudflare_logpush/docs/README.md	5	Elastic.Semicolons	Use semicolons judiciously.
packages/cloudflare_logpush/docs/README.md	5	Elastic.Semicolons	Use semicolons judiciously.
packages/cloudflare_logpush/docs/README.md	5	Elastic.Semicolons	Use semicolons judiciously.
packages/cloudflare_logpush/docs/README.md	182	Elastic.WordChoice	Consider using 'refer to if it's a document, view if it's a UI element' instead of 'See', unless the term is in the UI.
packages/cloudflare_logpush/docs/README.md	673	Elastic.WordChoice	Consider using 'can, might' instead of 'may', unless the term is in the UI.
packages/cloudflare_logpush/docs/README.md	1695	Elastic.WordChoice	Consider using 'top-level' instead of 'first-class', unless the term is in the UI.
packages/cloudflare_logpush/docs/README.md	2317	Elastic.WordChoice	Consider using 'can, might' instead of 'may', unless the term is in the UI.
packages/cloudflare_logpush/docs/README.md	2995	Elastic.Wordiness	Consider using 'whether' instead of 'Whether or not'.

---

The Vale linter checks documentation changes against the Elastic Docs style guide.

To use Vale locally or report issues, refer to Elastic style guide for Vale.

[github-actions]

TL;DR

Build 42405 failed before repository code execution: the Buildkite agent environment hook could not retrieve Vault secret github/token/elastic-integrations-pipeline and aborted pipeline upload. Immediate action is to restore/validate that Vault path (or role mapping) and then retry the build.

Remediation

• Ensure Vault has a value at github/token/elastic-integrations-pipeline and that role elastic-integrations-pipeline can read it from this pipeline context.
• Re-run the build after secret/path access is fixed; no code change in this PR is indicated by this failure.

Investigation details

Root Cause

The failed job is :pipeline::arrow_up: Upload Pipeline: .buildkite/pipeline.yml, but the failure occurs in the agent environment hook prior to command execution. The hook repeatedly attempts to fetch the GitHub token from Vault and exits non-zero after retries.

This is an infrastructure/configuration failure (secret provisioning/access), not a test/code/runtime failure in PR changes.

Evidence

• Build: https://buildkite.com/elastic/integrations/builds/42405
• Job/step: :pipeline::arrow_up: Upload Pipeline: .buildkite/pipeline.yml
• Key log excerpt:

Attempting to retrieve GitHub token from Vault at path: github/token/elastic-integrations-pipeline
No value found at github/token/elastic-integrations-pipeline
Retry 5/5 exited 2, no more retries left.
Error setting up job executor: running "agent environment" shell hook: The agent environment hook exited with status 1

Verification

• Not run: build does not reach repository code/test steps; it fails during CI environment bootstrap.

Follow-up

• If the Vault path and role permissions are correct but intermittent, classify as transient infra and retry once after confirming secret backend health.

Note

🔒 Integrity filter blocked 2 items

The following items were blocked because they don't meet the GitHub integrity level.

• [cloudflare_logpush] fix several ingest pipeline and field definition bugs across multiple data streams #18673 pull_request_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #18673 pull_request_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".

To allow these resources, lower min-integrity in your GitHub frontmatter:

tools:
  github:
    min-integrity: approved  # merged | approved | unapproved | none

---

What is this? | From workflow: PR Buildkite Detective

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.

[brijesh-elastic]

I'm separating the breaking changes into a different PR, which will be merged after all bug fixes and enhancements. This benefits users who want the latest fixes & improvements without being forced to adopt breaking changes yet.

cc: @kcreddy

[elastic-vault-github-plugin-prod]

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

[kcreddy]

Only one comment pending - #18673 (comment)

[kcreddy]

LGTM for my comments 👍🏼

[elasticmachine]

💚 Build Succeeded

• Buildkite Build
• Commit: 1b89d72

History

• 💚 Build #42412 succeeded 70d3f38
• 💔 Build #42405 failed f481364
• 💚 Build #42078 succeeded 897866f
• 💔 Build #41991 failed be22edd

cc @brijesh-elastic

[efd6]

Thanks

[elastic-vault-github-plugin-prod]

Package cloudflare_logpush - 1.44.1 containing this change is available at https://epr.elastic.co/package/cloudflare_logpush/1.44.1/