Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Typo in logstash-patterns-core/patterns/ecs-v1/firewalls #312

Closed
ThomSwiss opened this issue Jun 16, 2022 · 1 comment · Fixed by #313
Closed

Typo in logstash-patterns-core/patterns/ecs-v1/firewalls #312

ThomSwiss opened this issue Jun 16, 2022 · 1 comment · Fixed by #313
Labels
bug

Comments

@ThomSwiss
Copy link

Logstash information:

Please include the following information:

  1. Logstash version 8.2.2
  2. Logstash installation source: official repo of DEB packages

Description of the problem including expected versus actual behavior:

  • Logstash pipeline crashes
  • In the filter logstash-patterns-core/patterns/ecs-v1/firewalls
    (on my installation located here: ./usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-patterns-core-4.3.3/patterns/ecs-v1/firewalls)

on line 63, CISCOFW302013_302014_302015_302016 you have a typo. Please correct
[source][user][name?]
to
[source][user][name]
When I change this on my installation, it solves the problem.

Steps to reproduce:
Just use the filter with firewall logs

Provide logs (if relevant):
[2022-06-16T14:56:49,076][WARN ][logstash.filters.grok ] Grok regexp threw exception {:message=>"Invalid FieldReference: [source][user][name", :exception=>RuntimeError, :backtrace=>["org/logstash/ext/JrubyEventExtLibrary.java:112:in get'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-grok-4.4.2/lib/logstash/filters/grok.rb:426:in handle'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-grok-4.4.2/lib/logstash/filters/grok.rb:386:in block in match'", "(eval):21:in block in compile_captures_func'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/jls-grok-0.11.5/lib/grok-pure.rb:202:in capture'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-grok-4.4.2/lib/logstash/filters/grok.rb:386:in block in match'", "org/jruby/RubyArray.java:1821:in each'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-grok-4.4.2/lib/logstash/filters/grok.rb:381:in match'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-grok-4.4.2/lib/logstash/filters/grok.rb:367:in match_against_groks'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-grok-4.4.2/lib/logstash/filters/grok.rb:357:in match'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-grok-4.4.2/lib/logstash/filters/grok.rb:301:in block in filter'", "org/jruby/RubyHash.java:1415:in each'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-grok-4.4.2/lib/logstash/filters/grok.rb:300:in filter'", "/usr/share/logstash/logstash-core/lib/logstash/filters/base.rb:159:in do_filter'", "/usr/share/logstash/logstash-core/lib/logstash/filters/base.rb:178:in block in multi_filter'", "org/jruby/RubyArray.java:1821:in each'", "/usr/share/logstash/logstash-core/lib/logstash/filters/base.rb:175:in
multi_filter'", "org/logstash/config/ir/compiler/AbstractFilterDelegatorExt.java:134:in multi_filter'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:300:in `block in start_workers'"]}
@ThomSwiss ThomSwiss added the bug label Jun 16, 2022
@leandrojmp
Copy link
Contributor

This issue was mentioned in this discuss topic.

The error is in the pattern CISCOFW302013_302014_302015_302016 in the firewalls pattern file.

The part that should extract the source.user.name is wrong.

It is now:

(?:\(%{DATA:[source][user][name?]}\))

And it should be changed to:

(?:\(%{DATA:[source][user][name]}\))

I was able to replicate the issue in 8.2.3 and changing the pattern file solved it.

Sample message tested (sample for ASA-6-302016)

"Teardown UDP connection 89517928 for ingress_interface:10.0.0.15/61541(some.username) to egress_interface:192.168.0.20/53 duration 0:00:00 bytes 116 (some.username)"

Result after changing the pattern file:

{
          "cisco" => {
        "asa" => {
            "connection_id" => "89517928",
                  "network" => {
                "transport" => "UDP"
            },
                 "duration" => "0:00:00",
                  "outcome" => "Teardown"
        }
    },
        "message" => "Teardown UDP connection 89517928 for ingress_interface:10.0.0.15/61541(some.username) to egress_interface:192.168.0.20/53 duration 0:00:00 bytes 116 (some.username)",
       "@version" => "1",
     "@timestamp" => 2022-06-17T14:00:59.337891Z,
          "event" => {
        "original" => "Teardown UDP connection 89517928 for ingress_interface:10.0.0.15/61541(some.username) to egress_interface:192.168.0.20/53 duration 0:00:00 bytes 116 (some.username)"
    },
       "observer" => {
        "ingress" => {
            "interface" => {
                "name" => "ingress_interface"
            }
        },
         "egress" => {
            "interface" => {
                "name" => "egress_interface"
            }
        }
    },
         "source" => {
        "user" => {
            "name" => "some.username"
        },
          "ip" => "10.0.0.15",
        "port" => 61541
    },
    "destination" => {
          "ip" => "192.168.0.20",
        "port" => 53
    },
        "network" => {
        "bytes" => 116
    },
           "host" => {
        "hostname" => "elk-lab"
    }
}

I can make a PR with this change.

@leandrojmp leandrojmp mentioned this issue Jun 17, 2022
Merged
@jsvd jsvd closed this as completed in #313 Jun 17, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix CISCOFW302013_302014_302015_302016 grok pattern
2 participants
@leandrojmp @ThomSwiss