fix the pipeline to keep nat ip/port pairs together

elastic · Jun 7, 2024 · 458377c · 458377c
1 parent c9dbbde
commit 458377c
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 5 deletions.
diff --git a/packages/stormshield/data_stream/log/_dev/test/pipeline/test-firewall.log-expected.json b/packages/stormshield/data_stream/log/_dev/test/pipeline/test-firewall.log-expected.json
@@ -135,7 +135,8 @@
                 },
                 "ip": "89.160.20.182",
                 "nat": {
-                    "ip": "1.128.0.1"
+                    "ip": "1.128.0.1",
+                    "port": 123
                 },
                 "port": 123
             },
@@ -417,9 +418,7 @@
             "@timestamp": "2019-02-24T16:38:00.000+01:00",
             "destination": {
                 "ip": "10.10.10.10",
-                "nat": {
-                    "port": 1900
-                }
+                "port": 1900
             },
             "ecs": {
                 "version": "8.11.0"

diff --git a/packages/stormshield/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/stormshield/data_stream/log/elasticsearch/ingest_pipeline/default.yml
@@ -268,7 +268,12 @@ processors:
       field: stormshield.dstport
       target_field: destination.nat.port
       type: long
-      if: ctx.stormshield?.dstport != null && ctx.stormshield?.dstport != ctx.stormshield?.origdstport
+      if: ctx.stormshield?.dstport != null && ctx.destination?.nat?.ip != null
+  - convert:
+      field: stormshield.dstport
+      target_field: destination.port
+      type: long
+      if: ctx.stormshield?.dstport != null && ctx.destination?.nat?.ip == null
 
   - remove:
       field: stormshield.dstport