Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Filebeat Enhancement] Pattern for Cisco Message 734001. #16612

Merged
merged 5 commits into from
Mar 19, 2020

Conversation

MarcusCaepio
Copy link
Contributor

Fixes #16212
The split part is needed, because one has to be able to search for an
explicit dap_record. As the records order and number can vary a lot,
just saving the whole string makes no sense. I choosed "cisco.user" and
"cisco.connection_type", as looking to the syslog messages docs,
they also call it like that. I made an "make update" both in /beats/xpack/filebeat/ and /beats/filebeat/

Hopefully the pipeline runs sucessfully now.

  • My code follows the style guidelines of this project
    - [ ] I have commented my code, particularly in hard-to-understand areas
    - [ ] I have made corresponding changes to the documentation
  • I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works

How to test this PR locally

Testfiles are included

Related issues

Use cases

Parsing VPN Logs for Cisco ASA and FTD

@MarcusCaepio MarcusCaepio requested a review from a team as a code owner February 26, 2020 15:49
@elasticmachine
Copy link
Collaborator

Since this is a community submitted pull request, a Jenkins build has not been kicked off automatically. Can an Elastic organization member please verify the contents of this patch and then kick off a build manually?

1 similar comment
@elasticmachine
Copy link
Collaborator

Since this is a community submitted pull request, a Jenkins build has not been kicked off automatically. Can an Elastic organization member please verify the contents of this patch and then kick off a build manually?

@elasticmachine
Copy link
Collaborator

Pinging @elastic/siem (Team:SIEM)

Copy link
Contributor

@adriansr adriansr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for your contribution!

There's a few issues to address. Make sure to fix the pipeline per my suggestions and then generate the test data.

Comment on lines 1 to 18
{
"source": {
"ip": "1.2.3.4"
},
"user": {
"email": "[email protected]"
},
"cisco": {
"connection_type": "AnyConnect",
"dap_records": [
"dap_1",
"dap_2"
],
"asa": {
"message_id": "734001"
}
}
}
Copy link
Contributor

@adriansr adriansr Mar 2, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This file should be named dap_records.log-expected.json, and the content must be generated by the system tests. Otherwise is ignored.

To generate the content of this file, you must run the module's tests in generate mode (first fix the issues with the pipeline I pointed out in other comments):

  1. Have an Elasticsearch in localhost:9200.

  2. Compile a testing binary and create a virtualenv:

cd {beats_repo}/x-pack/filebeat
go test -c
virtualenv -p path_to_python_3 venv
. venv/bin/activate
pip install -r ../../libbeat/tests/system/requirements.txt
  1. Then run the cisco/asa tests in generate mode:
touch module/cisco/asa/test/dap_records.log-expected.json
GENERATE=1 MODULES_PATH=$PWD/module INTEGRATION_TESTS=1 TESTING_FILEBEAT_MODULES=cisco TESTING_FILEBEAT_FILESETS=asa nosetests -v -s tests/system/test_xpack_modules.py
  1. Run the cisco tests in testing mode and it should pass:
 MODULES_PATH=$PWD/module INTEGRATION_TESTS=1 TESTING_FILEBEAT_MODULES=cisco nosetests -v -s tests/system/test_xpack_modules.py

- name: dap_records
type: keyword
description: >
The assigned DAP records
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also add default_field to this ones.

- dissect:
if: "ctx._temp_.cisco.message_id == '734001'"
field: "message"
pattern: "DAP: User %{user.email}, Addr %{source.ip}, Connection %{cisco.connection_type}: The following DAP records were selected for this connection: %{cisco.dap_records->}"
Copy link
Contributor

@adriansr adriansr Mar 2, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A few issues with this pattern:

  1. Should set source.address instead of source.ip. A later processor will set .ip from .address if it's a valid IP.
  2. Should set _temp_.cisco.xxx instead of cisco.xxx fields. A later processor creates cisco.asa.xxx or cisco.ftd.xxx based on _temp_.cisco.

field: "message"
pattern: "DAP: User %{user.email}, Addr %{source.ip}, Connection %{cisco.connection_type}: The following DAP records were selected for this connection: %{cisco.dap_records->}"
- split:
field: "cisco.dap_records"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same here. The field to split is _temp_.cisco.dap_records.

Also this processor needs a ignore_missing: true because it runs for all cisco events, and only 734001 has the field. It can also do with a condition but it's better to use ignore_missing in this case.

@MarcusCaepio
Copy link
Contributor Author

@adriansr Unfortunately, I am very busy right now, so I don't have time to change the PR. As you know, I already created this PR for the third time and every time there was sth. additionally I had to change. To avoid a neverending story, could you make the needed changes so I know directly, how to do it right for the next time?
Thanks a lot!

@MarcusCaepio
Copy link
Contributor Author

MarcusCaepio commented Mar 9, 2020

Thanks a lot @adriansr
When will this be available? I see, in 7.6.1 it's not yet integrated.

@adriansr adriansr added the needs_backport PR is waiting to be backported to other branches. label Mar 18, 2020
@adriansr
Copy link
Contributor

@MarcusCaepio I'll merge this into 7.7.0. As it is an enhancement, it can't go into a bugfix release.

I just rebased it and will try to merge it soon.

MarcusCaepio and others added 3 commits March 19, 2020 00:10
    Fixes elastic#16212
    The split part is needed, because one has to be able to search for an
    explicit dap_record. As the records order and number can vary a lot,
    just saving the whole string makes no sense. I chose "user.email", "source.ip"
    as ECS fields and "cisco.connection_type", "cisco.dap_records",
    as looking to the syslog messages docs,they also call it like that.
    I made "make update" in /beats/x.pack/filebeat and /beats/filebeat.
    Hopefully the pipeline succeeds now.
@adriansr
Copy link
Contributor

jenkins, test this

@adriansr
Copy link
Contributor

jenkins, test this

Copy link
Member

@jsoriano jsoriano left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, only a possible suggestion.

@adriansr adriansr merged commit ac2b333 into elastic:master Mar 19, 2020
adriansr pushed a commit to adriansr/beats that referenced this pull request Mar 19, 2020
The split part is needed, because one has to be able to search for an
explicit dap_record. As the records order and number can vary a lot,
just saving the whole string makes no sense. I chose "user.email", "source.ip"
as ECS fields and "cisco.connection_type", "cisco.dap_records",
as looking to the syslog messages docs,they also call it like that.
I made "make update" in /beats/x.pack/filebeat and /beats/filebeat.
Hopefully the pipeline succeeds now.

Fixes elastic#16212

Co-authored-by: MarcusCaepio <[email protected]>
(cherry picked from commit ac2b333)
@adriansr adriansr added v7.7.0 and removed needs_backport PR is waiting to be backported to other branches. labels Mar 19, 2020
adriansr added a commit that referenced this pull request Mar 19, 2020
…essage 734001. (#17128)

The split part is needed, because one has to be able to search for an
explicit dap_record. As the records order and number can vary a lot,
just saving the whole string makes no sense. I chose "user.email", "source.ip"
as ECS fields and "cisco.connection_type", "cisco.dap_records",
as looking to the syslog messages docs,they also call it like that.
I made "make update" in /beats/x.pack/filebeat and /beats/filebeat.
Hopefully the pipeline succeeds now.

Fixes #16212

(cherry picked from commit ac2b333)

Co-authored-by: MarcusCaepio <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

[Filebeat - Module Cisco-ASA] Parsing of Cisco Event Message 734001
4 participants