-
Notifications
You must be signed in to change notification settings - Fork 4.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Iptables module unable to parse some logs from UDM-Pro device #25615
Comments
Should be easy to update the grok pattern |
are some of those supposed to be L and TL and not TTL?? |
That's exactly how they appear in my log file. It almost looks as if part of the message is missing, but then the date and other information is still there. |
Ya, I'm definitely confused about that. Could it be a UDM bug? Did this just start happening recently? after an update?? |
Same here. This is the first time I've tried collecting these logs so I can't say that it was working anytime before. I know very little about UDM, but I also wondered if it could be a bug with the device. I'll see if I can get in touch with someone who might be able to help figure this out. Thanks for looking at this so quickly. I'll let you know when I have more information. |
I would hit up the Unifi forums. You'd probably get teh best answer there. |
That's a great idea. Thank you! |
I opened a draft PR to parse these logs. Let me know what u think. |
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
I'm using the Iptables module of Filebeat (
master
branch on Github, commitddcf8f1aa
) to receive and parse logs from a Unifi Dream Machine Pro over UDP. My module configuration looks like this:The data is sent from the beat to a Logstash pipeline. That pipeline does no processing/parsing of the message itself. It just sends the incoming data into the appropriate Elasticsearch index. All of the message processing happens using the ingest pipeline provided by the Iptables module.
Most of the sample log data I've tested parses fine, however there are a handful of logs (about 70 out of 3800) that fail to parse properly by the module.
Here's a few logs that fail to parse:
The text was updated successfully, but these errors were encountered: