-
Notifications
You must be signed in to change notification settings - Fork 407
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix the Grok parser for 113005 messages #9473
Conversation
1148c82
to
36f1c25
Compare
💚 Build Succeeded
History
|
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
@@ -357,7 +357,7 @@ processors: | |||
description: "113005" | |||
field: "message" | |||
patterns: | |||
- "AAA user authentication Rejected(%{SPACE})?: reason = %{REASON}(%{SPACE})?: server = %{IP:destination.address}(%{SPACE})?: user = ?%{CISCO_USER:source.user.name}(%{SPACE})?: user IP = %{IP:source.address}" | |||
- "AAA user authentication Rejected(%{SPACE})?: reason = %{REASON}(%{SPACE})?: server = %{IP:destination.address}(%{SPACE})?: user = ?(%{CISCO_USER:source.user.name}|\\*+)(%{SPACE})?: user IP = %{IP:source.address}" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Other groks handling *****
actually extract it to source.user.name
. We can either be consistent and extract it as well, or we can not extract it.
This is one of those situations where I don't know what the intended behavior behind this is supposed to be. These are very old pipelines with, at times, questionable practices. To me, *****
is equivalent to no value at all, it does nothing more than describe "I don't know what this user is".
I'm fine with not extracting it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was thinking the same to be honest that *****
means no username defined
Package cisco_ftd - 3.2.1 containing this change is available at https://epr.elastic.co/search?package=cisco_ftd |
Proposed commit message
This PR handles properly cisco_ftd messages with id 113005 that the username is hidden
Ref https://www.cisco.com/c/en/us/td/docs/security/firepower/Syslogs/b_fptd_syslog_guide/syslogs1.html#con_8293726 (credits @taylor-swanson )
Checklist
changelog.yml
file.Author's Checklist
N/A
How to test this PR locally
inside the
cisco_ftd
package run:elastic-package test
Related issues
Screenshots
N/A