New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Juniper SRX] Issues with System message groks #6963
Comments
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
Additional tests that should pass from #6837.
|
In the PR fix: #7280, there are several instances where logs are not correctly formatted, or deviating from the standard. Examples from
These are leading to incorrect parsing. |
Hey @cai-elastic, Based on above comment, could you please confirm if these logs are correctly formatted? Because of this we are seeing incorrect output in such cases. https://github.com/elastic/integrations/pull/7280/files#diff-0db8ac6cad8ca10c7bcf6c12ed7588cc181c0c7876d9701a31195e56a66b3b99 |
Hi Kcreddy, I think they are exceptional cases that can be ignored in the test coverage. It's fine as long as we support correct formats. Best Regards, |
Thanks Cai, since it can be ignored, I will make the PR ready for review. |
Currently the parsing of system messages for Juniper SRX is quite new, however there is a few main issues that has to be resolved.
default.yml
to hit the system-structured data as well, this causes issues. The grok should be rewritten into 3 components instead of the current 2:system.yml
has issues with certain data formats, here as well we should have more explicit grok patterns for structured and unstructured data, as unstructured data is still hitting the pattern for structured._temp_.to_be_parsed
field is not actually parsed anywhere, the TAG field at the start of the grok also support only values without spaces, so things like "IKE negotiation failed with error" does not work.Dissect for this is not working because of missing tag, its in the test data:
<27>1 2023-05-04T15:19:33.984+10:00 AB1234-A-AB-AB01C-ABC kmd 9159 asd2 asd IKE negotiation failed with error: Timed out. IKE Version: 1, VPN: IPSEC-AAAAA-AAA1-PROD-VPN Gateway: IKE-AAAAA-AAA1-GW, Local: 89.160.20.112/500, Remote: 67.43.156.1/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 5: Role: Initiator
Other sample data that hits traffic-structured on default.yml rather than the system pattern:
<37>1 2023-05-10T00:10:24.232+10:00 AB1234-A-AB-AB01C-ABC snmpd 8959 SNMPD_AUTH_FAILURE [junos@1111.1.1.1.1.111 function-name="nsa_log_community" message="unauthorized SNMP community" source-address="216.160.83.56" destination-address="89.160.20.128" index1="j5Cx6eSkKF7A"]
The text was updated successfully, but these errors were encountered: