[Cisco FTD] Pipeline Error when FTD Suffix is empty string

[agmic]

I have the following logs in our environment which raise a pipeline error because the optional ftd suffix is an empty string.

<166>:Feb 26 11:26:52 UTC: %FTD--6-852002: Received Full Proxy to Lightweight event from application Snort for TCP flow 10.10.10.10/710 to 11.22.33.44/47873

Without suffix: %FTD-6-852002 : No error
With suffix: %FTD-ABCD-6-852002 : No error, suffix parsed to cisco.ftd.suffix
With blank suffix: %FTD--6-852002 : Pipeline error further down in pipeline as message ID (852002) is not parsed out.

The existing pipeline checks for a suffix, but expects something to be there. If the suffix is empty, the pipeline errors.

The code in question is:

integrations/packages/cisco_ftd/data_stream/log/elasticsearch/ingest_pipeline/default.yml

Line 54 in e191f83

- "%{FTD_PREFIX}-(?:%{FTD_SUFFIX:_temp_.cisco.suffix}-)?%{NONNEGINT:event.severity:int}-%{POSINT:_temp_.cisco.message_id}?:?\\s*%{GREEDYDATA:message}"

My regex is not that strong, but can the grok be changed from
%{FTD_PREFIX}-(?:%{FTD_SUFFIX:_temp_.cisco.suffix}-)?%{NONNEGINT:event.severity:int}-%{POSINT:_temp_.cisco.message_id}?:?\s*%{GREEDYDATA:message}

to:

%{FTD_PREFIX}-(?:%{FTD_SUFFIX:_temp_.cisco.suffix}?-)?%{NONNEGINT:event.severity:int}-%{POSINT:_temp_.cisco.message_id}?:?\s*%{GREEDYDATA:message}

(addition of question mark after FTD_SUFFIX capture group) to account for this?

[elasticmachine]

Pinging @elastic/sec-deployment-and-devices (Team:Security-Deployment and Devices)

[elasticmachine]

Package cisco_ftd - 3.2.3 containing this change is available at https://epr.elastic.co/search?package=cisco_ftd