Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Cisco FTD] Pipeline Error for Event 113019 #9198

Closed
agmic opened this issue Feb 20, 2024 · 2 comments · Fixed by #9542
Closed

[Cisco FTD] Pipeline Error for Event 113019 #9198

agmic opened this issue Feb 20, 2024 · 2 comments · Fixed by #9542
Assignees
@pkoutsovasilis
Labels
bug Something isn't working Integration:CiscoFTD Cisco FTD Firepower Threat Defense Team:Security-Deployment and Devices Deployment and Devices Security team

Comments

@agmic
Copy link

agmic commented Feb 20, 2024

The Cisco FTD integration raises a pipeline error on events with Message ID 113019.

The code that errors is line 1648 here:
https://github.com/elastic/integrations/blob/fc99cc8fcbe193be818f03f26fc3ef9a3d341562/packages/cisco_ftd/data_stream/log/elasticsearch/ingest_pipeline/default.yml#L1646C1-L1649C100

  - script:
      lang: painless
      source: "ctx.network.bytes = ctx.source.bytes + ctx.destination.bytes"
      if: ctx.source?.bytes != null && ctx.destination?.bytes != null && ctx.network?.bytes == null

The error message is
cannot access method/field [bytes] from a null def reference
and seems to be caused by a script trying to add a value to the network.bytes field (ctx.network.bytes) when the network parent field doesn't exist.

A document that can raise the error is below.

 [
  {
    "_id": "id2",
    "_index": "index",
    "_source": {
      "message": "<164>Feb 19 2024 16:29:38: %FTD-4-113019: Group = VPN, Username = abcd, IP = 11.22.33.44, Session disconnected. Session Type: SSL, Duration: 1h:24m:30s, Bytes xmt: 25292048, Bytes rcv: 12546398, Reason: User Requested"
    }
  }
]
@jamiehynds jamiehynds added the Team:Security-Deployment and Devices Deployment and Devices Security team label Feb 20, 2024
@elasticmachine
Copy link

Pinging @elastic/sec-deployment-and-devices (Team:Security-Deployment and Devices)

@jamiehynds jamiehynds added Integration:CiscoFTD Cisco FTD Firepower Threat Defense bug Something isn't working labels Feb 20, 2024
@pkoutsovasilis pkoutsovasilis mentioned this issue Apr 8, 2024
Merged
4 tasks
@pkoutsovasilis pkoutsovasilis self-assigned this Apr 8, 2024
@elasticmachine
Copy link

Package cisco_ftd - 3.2.2 containing this change is available at https://epr.elastic.co/search?package=cisco_ftd

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@pkoutsovasilis pkoutsovasilis

Labels
bug Something isn't working Integration:CiscoFTD Cisco FTD Firepower Threat Defense Team:Security-Deployment and Devices Deployment and Devices Security team
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[cisco_ftd]: allocate network if null when calculating bytes for Event 113019 elastic/integrations
4 participants
@pkoutsovasilis @elasticmachine @agmic @jamiehynds