Whitespace in Cisco ASA output breaks firewall pattern #37
Comments
|
@seang-es Any chance you can get me a sample log? (anonymized is ok). I'll write a test case for it and we can move forward with the fix. |
|
(I'm open to merging the pattern fix first, btw, just want to get traction on me adding tests) |
|
Sean opened this up from my ticket to ES support. An example log line: <164>May 13 2015 11:56:41 asa-5510 : %ASA-4-106023: Deny tcp src dmz:192.168.xx.xx/xxxx dst pre:192.168.xx.xx/xxxx by access-group "dmz_access_in" [0x81470ed6, 0x0] My change to the pattern: $ diff -bur <(grep CISCO_TAGGED /opt/logstash/patterns/firewalls) <(grep CISCO_TAGGED /opt/logstash/patterns/sv) --- /dev/fd/63 2015-05-04 13:59:00.131534784 -0500
+++ /dev/fd/62 2015-05-04 13:59:00.127507381 -0500
@@ -1 +1 @@
-CISCO_TAGGED_SYSLOG ^<%{POSINT:syslog_pri}>%{CISCOTIMESTAMP:timestamp}( %{SYSLOGHOST:sysloghost})?: %%{CISCOTAG:ciscotag}:
+SV_CISCO_TAGGED_SYSLOG ^<%{POSINT:syslog_pri}>%{CISCOTIMESTAMP:timestamp} (%{SYSLOGHOST:sysloghost})? : %%{CISCOTAG:ciscotag}:The pattern is missing the space after the hostname match '?:' vs '? :'. Though allowing an optional space is likely better, we don't ship any messages without a hostname in our firewalls. |
|
This is a duplicate of #2. Also, I signed the CLA back in January, but the cla_check test is still failing because the work email address with which I signed the CLA is a secondary address on my github account. See comments on elastic/logstash#2102 for more detail. |
See elastic/logstash#2101. This is coming up at customer sites as well.
The text was updated successfully, but these errors were encountered: