[Cisco FTD] Pipeline Error when FTD Suffix is empty string #9241
Labels
bug
Something isn't working
Integration:CiscoFTD
Cisco FTD Firepower Threat Defense
Team:Security-Deployment and Devices
Deployment and Devices Security team
I have the following logs in our environment which raise a pipeline error because the optional ftd suffix is an empty string.
<166>:Feb 26 11:26:52 UTC: %FTD--6-852002: Received Full Proxy to Lightweight event from application Snort for TCP flow 10.10.10.10/710 to 11.22.33.44/47873
Without suffix: %FTD-6-852002 : No error
With suffix: %FTD-ABCD-6-852002 : No error, suffix parsed to cisco.ftd.suffix
With blank suffix: %FTD--6-852002 : Pipeline error further down in pipeline as message ID (852002) is not parsed out.
The existing pipeline checks for a suffix, but expects something to be there. If the suffix is empty, the pipeline errors.
The code in question is:
integrations/packages/cisco_ftd/data_stream/log/elasticsearch/ingest_pipeline/default.yml
Line 54 in e191f83
My regex is not that strong, but can the grok be changed from
%{FTD_PREFIX}-(?:%{FTD_SUFFIX:_temp_.cisco.suffix}-)?%{NONNEGINT:event.severity:int}-%{POSINT:_temp_.cisco.message_id}?:?\s*%{GREEDYDATA:message}
to:
%{FTD_PREFIX}-(?:%{FTD_SUFFIX:_temp_.cisco.suffix}?-)?%{NONNEGINT:event.severity:int}-%{POSINT:_temp_.cisco.message_id}?:?\s*%{GREEDYDATA:message}
(addition of question mark after FTD_SUFFIX capture group) to account for this?
The text was updated successfully, but these errors were encountered: