Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Zscaler] Integration - Pipeline error when reqmethod is NA #5298

Closed
Androulakakis opened this issue Feb 16, 2023 · 4 comments · Fixed by #5420
Closed

[Zscaler] Integration - Pipeline error when reqmethod is NA #5298

Androulakakis opened this issue Feb 16, 2023 · 4 comments · Fixed by #5420
Assignees
@ashaka-elastic
Labels
bug Something isn't working Integration:zscaler_zia Zscaler Internet Access

Comments

@Androulakakis
Copy link

Androulakakis commented Feb 16, 2023
edited
Loading

Hello,

The ingest pipeline of the Zscaler integration produces the error message -For input string: "NA"-
when the reqmethod is not present, propably beacause respcode is also "NA" and not a number.

Please add conditionals to the pipelines logic.

example log:
{"sourcetype" : "zscalernss-web", "event" :{"time":"Thu Feb 16 10:17:13 2023","login":"deleted@deleted.com","proto":"SSL","eurl":"outlook.office365.com","dhost":"outlook.office365.com","action":"Allowed","reason":"Allowed","appname":"Outlook (Office 365)","appclass":"Webmail","reqsize":"50332","respsize":"2486375","stime":"81000","ctime":"81000","urlclass":"Business Use","urlsupercat":"Internet Communication","urlcat":"Webmail","malwarecat":"None","malwareclass":"None","threatname":"None","riskscore":"0","fileType":"None","location":"deleted","dept":"deleted","cip":"0.0.0.0","sip":"0.0.0.0","src":"0.0.0.0","reqmethod":"NA","respcode":"NA","ua" :"Unknown","ereferer":"None","ruletype":"None","rulelabel":"None","contenttype":"Other","unscannabletype":"None","deviceowner":"deleted","devicehostname":"deleted","md5hash":"None"}

Kind regards.
@elasticmachine
Copy link

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

@andrewkroh andrewkroh added the bug Something isn't working label Feb 16, 2023
@andrewkroh
Copy link
Member

If NA is a normal value then the integration could be made to ignore the conversion to a number for http.response.status_code.

integrations/packages/zscaler_zia/data_stream/web/elasticsearch/ingest_pipeline/default.yml

Lines 142 to 152 in 53dab46

- convert:
field: json.respcode
target_field: http.response.status_code
type: long
ignore_missing: true
on_failure:
- remove:
field: json.respcode
- append:
field: error.message
value: '{{{_ingest.on_failure_message}}}'

@ashaka-elastic
Copy link
Contributor

@Androulakakis, we are looking into this issue.

@ashaka-elastic ashaka-elastic mentioned this issue Mar 1, 2023
Merged
4 tasks
@elasticmachine
Copy link

Package zscaler_zia - 2.7.1 containing this change is available at https://epr.elastic.co/search?package=zscaler_zia

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ashaka-elastic ashaka-elastic

Labels
bug Something isn't working Integration:zscaler_zia Zscaler Internet Access
Projects
None yet
Milestone
No milestone
4 participants
@andrewkroh @elasticmachine @Androulakakis @ashaka-elastic