Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Fortinet] Could not index event to Elasticsearch. [sentdelta] value out of range #11

Closed
nicpenning opened this issue Apr 17, 2020 · 8 comments
Closed

[Fortinet] Could not index event to Elasticsearch. [sentdelta] value out of range #11

nicpenning opened this issue Apr 17, 2020 · 8 comments

Comments

@nicpenning
Copy link
Contributor

I have noticed that once in a while an event won't get ingested because the [sentdelta] field contains a value such as 18446744073706429550 which is larger than the type long required in Elastic. Is there a way to handle bigintegers in Elastic? Otherwise I might just make this a text field or changing the mapping settings to let it index anyways. How has anyone else managed this?
@nicpenning
Copy link
Contributor Author

Looking further, it seems that this shouldn't be a valid value any ways, so I think something went amiss when the log was shipped or the pipeline mangled it up. From what I can tell, there are no references to [sentdelta] in the pipeline. To be continued.

@enotspe
Copy link
Owner

enotspe commented Apr 17, 2020

Does event.original shows the same value for sentdelta? Is it Fortinet issue or parsing issue? Can you compare it with the log on the firewall itself?

@nicpenning
Copy link
Contributor Author

I am trying to get it now. Unfortunately this won't log into Elastic with the error and since we have a lot of data in the pipeline it might be hard to isolate. I can try and see if I can find this data in the raw log that is shipped. I don't see anywhere in the pipeline where you would parse this field. I will post what I find.

@nicpenning
Copy link
Contributor Author

We can push this one back to Fortinet!

image

This is indeed a bug in the log. That number is huge and is likely incorrect. Will send something there way.

@enotspe
Copy link
Owner

enotspe commented Apr 17, 2020
edited
Loading

sentdelta is defined on the template
https://github.com/enotspe/fortinet-2-elasticsearch/blob/master/templates/fortigate-6.2.2

It is not parsed specifically. But kv should handle it.

The value 18446744073706429550 is around 18446.74 Petabytes. I have also received values of duration around 100+ years, so I think it is an issue with Fortigate itself. Probably FortiOS version

@nicpenning
Copy link
Contributor Author

It works everywhere else. It's just when it has that bugged value, it doesn't match the type long so it doesn't get indexed. Fortinet will need to fix. Otherwise I could add some basic log that if the deltas have 20+ digits then remove that field and tag that log with an error or add a new text field with the value, even though the value is useless.

@enotspe
Copy link
Owner

enotspe commented Apr 18, 2020
edited
Loading

sentdelta and rcvddelta only happen on logid=20, which are excluded from all analysis, so you might go ahead and drop completely logid=20 anyway

@nicpenning
Copy link
Contributor Author

Closing this issue as this event should be dropped or mapped to a string type field depending on an organization's use cases.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@nicpenning @enotspe