New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Juniper SRX] Fix grok patterns for system logs #7280
Conversation
🌐 Coverage report
|
🌐 Coverage report
|
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've added two small suggestions but overall it looks good to me.
packages/juniper_srx/data_stream/log/elasticsearch/ingest_pipeline/system.yml
Outdated
Show resolved
Hide resolved
packages/juniper_srx/data_stream/log/elasticsearch/ingest_pipeline/system.yml
Outdated
Show resolved
Hide resolved
Thanks @chemamartinez! |
packages/juniper_srx/data_stream/log/elasticsearch/ingest_pipeline/default.yml
Outdated
Show resolved
Hide resolved
packages/juniper_srx/data_stream/log/elasticsearch/ingest_pipeline/default.yml
Outdated
Show resolved
Hide resolved
packages/juniper_srx/data_stream/log/elasticsearch/ingest_pipeline/default.yml
Outdated
Show resolved
Hide resolved
Package juniper_srx - 1.14.1 containing this change is available at https://epr.elastic.co/search?package=juniper_srx |
* Fix grok patterns for Juniper System logs * update pr num * update negotiation grok * Fix FW groks * Fix rtslib_dfwsm_get_async_cb * Add reth_scan * Non pid structured * Fix other patterns * Refactor * Add required fields * update readme * PR comments * Address PR comments
What does this PR do?
Fixes existing grok patterns for system logs
Checklist
changelog.yml
file.Author's Checklist
Waiting for the user who raised the request to get back on the issue comment. There are several instances where logs are not correctly formatted, or deviating from the standard.
Examples from
test-system.log
:, Traffic-selector: FC Name:
has no comma between fields, VR-ID: 5: Role: Initiator
has:
instead of,
for field separator, VPN: IPSEC-NIKON-TUN1-PROD-VPN Gateway: IKE-NIKON-TUN1-GW,
has,
for field separator. Also present in multiple places.Confirmed by user that these can be ignored - [Juniper SRX] Issues with System message groks #6963 (comment)
How to test this PR locally
Related issues
Screenshots