Fix the Grok parser for 113005 messages #9473
Conversation
pkoutsovasilis
force-pushed
the
pkoutsovasilis/cisco_ftd_hidden_username
branch
from
1148c82
to
36f1c25
Compare
💚 Build Succeeded
History
|
|
100.0% Coverage on New Code
0.0% Duplication on New Code
| @@ -357,7 +357,7 @@ processors: | |||
| description: "113005" | |||
| field: "message" | |||
| patterns: | |||
| - "AAA user authentication Rejected(%{SPACE})?: reason = %{REASON}(%{SPACE})?: server = %{IP:destination.address}(%{SPACE})?: user = ?%{CISCO_USER:source.user.name}(%{SPACE})?: user IP = %{IP:source.address}" | |||
| - "AAA user authentication Rejected(%{SPACE})?: reason = %{REASON}(%{SPACE})?: server = %{IP:destination.address}(%{SPACE})?: user = ?(%{CISCO_USER:source.user.name}|\\*+)(%{SPACE})?: user IP = %{IP:source.address}" | |||
There was a problem hiding this comment.
Other groks handling ***** actually extract it to source.user.name. We can either be consistent and extract it as well, or we can not extract it.
This is one of those situations where I don't know what the intended behavior behind this is supposed to be. These are very old pipelines with, at times, questionable practices. To me, ***** is equivalent to no value at all, it does nothing more than describe "I don't know what this user is".
I'm fine with not extracting it.
There was a problem hiding this comment.
I was thinking the same to be honest that ***** means no username defined
|
Package cisco_ftd - 3.2.1 containing this change is available at https://epr.elastic.co/search?package=cisco_ftd |
Proposed commit message
This PR handles properly cisco_ftd messages with id 113005 that the username is hidden
Ref https://www.cisco.com/c/en/us/td/docs/security/firepower/Syslogs/b_fptd_syslog_guide/syslogs1.html#con_8293726 (credits @taylor-swanson )
Checklist
changelog.ymlfile.Author's Checklist
N/A
How to test this PR locally
inside the
cisco_ftdpackage run:elastic-package testRelated issues
Screenshots
N/A