-
Notifications
You must be signed in to change notification settings - Fork 4.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Filebeat Enhancement] Pattern for Cisco Message 734001. #16612
Conversation
Since this is a community submitted pull request, a Jenkins build has not been kicked off automatically. Can an Elastic organization member please verify the contents of this patch and then kick off a build manually? |
1 similar comment
Since this is a community submitted pull request, a Jenkins build has not been kicked off automatically. Can an Elastic organization member please verify the contents of this patch and then kick off a build manually? |
Pinging @elastic/siem (Team:SIEM) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for your contribution!
There's a few issues to address. Make sure to fix the pipeline per my suggestions and then generate the test data.
{ | ||
"source": { | ||
"ip": "1.2.3.4" | ||
}, | ||
"user": { | ||
"email": "[email protected]" | ||
}, | ||
"cisco": { | ||
"connection_type": "AnyConnect", | ||
"dap_records": [ | ||
"dap_1", | ||
"dap_2" | ||
], | ||
"asa": { | ||
"message_id": "734001" | ||
} | ||
} | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This file should be named dap_records.log-expected.json
, and the content must be generated by the system tests. Otherwise is ignored.
To generate the content of this file, you must run the module's tests in generate mode (first fix the issues with the pipeline I pointed out in other comments):
-
Have an Elasticsearch in localhost:9200.
-
Compile a testing binary and create a virtualenv:
cd {beats_repo}/x-pack/filebeat
go test -c
virtualenv -p path_to_python_3 venv
. venv/bin/activate
pip install -r ../../libbeat/tests/system/requirements.txt
- Then run the cisco/asa tests in generate mode:
touch module/cisco/asa/test/dap_records.log-expected.json
GENERATE=1 MODULES_PATH=$PWD/module INTEGRATION_TESTS=1 TESTING_FILEBEAT_MODULES=cisco TESTING_FILEBEAT_FILESETS=asa nosetests -v -s tests/system/test_xpack_modules.py
- Run the cisco tests in testing mode and it should pass:
MODULES_PATH=$PWD/module INTEGRATION_TESTS=1 TESTING_FILEBEAT_MODULES=cisco nosetests -v -s tests/system/test_xpack_modules.py
- name: dap_records | ||
type: keyword | ||
description: > | ||
The assigned DAP records |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also add default_field
to this ones.
- dissect: | ||
if: "ctx._temp_.cisco.message_id == '734001'" | ||
field: "message" | ||
pattern: "DAP: User %{user.email}, Addr %{source.ip}, Connection %{cisco.connection_type}: The following DAP records were selected for this connection: %{cisco.dap_records->}" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A few issues with this pattern:
- Should set
source.address
instead ofsource.ip
. A later processor will set.ip
from.address
if it's a valid IP. - Should set
_temp_.cisco.xxx
instead ofcisco.xxx
fields. A later processor createscisco.asa.xxx
orcisco.ftd.xxx
based on_temp_.cisco
.
field: "message" | ||
pattern: "DAP: User %{user.email}, Addr %{source.ip}, Connection %{cisco.connection_type}: The following DAP records were selected for this connection: %{cisco.dap_records->}" | ||
- split: | ||
field: "cisco.dap_records" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same here. The field to split is _temp_.cisco.dap_records
.
Also this processor needs a ignore_missing: true
because it runs for all cisco events, and only 734001
has the field. It can also do with a condition but it's better to use ignore_missing in this case.
@adriansr Unfortunately, I am very busy right now, so I don't have time to change the PR. As you know, I already created this PR for the third time and every time there was sth. additionally I had to change. To avoid a neverending story, could you make the needed changes so I know directly, how to do it right for the next time? |
Thanks a lot @adriansr |
@MarcusCaepio I'll merge this into 7.7.0. As it is an enhancement, it can't go into a bugfix release. I just rebased it and will try to merge it soon. |
Fixes elastic#16212 The split part is needed, because one has to be able to search for an explicit dap_record. As the records order and number can vary a lot, just saving the whole string makes no sense. I chose "user.email", "source.ip" as ECS fields and "cisco.connection_type", "cisco.dap_records", as looking to the syslog messages docs,they also call it like that. I made "make update" in /beats/x.pack/filebeat and /beats/filebeat. Hopefully the pipeline succeeds now.
jenkins, test this |
jenkins, test this |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, only a possible suggestion.
The split part is needed, because one has to be able to search for an explicit dap_record. As the records order and number can vary a lot, just saving the whole string makes no sense. I chose "user.email", "source.ip" as ECS fields and "cisco.connection_type", "cisco.dap_records", as looking to the syslog messages docs,they also call it like that. I made "make update" in /beats/x.pack/filebeat and /beats/filebeat. Hopefully the pipeline succeeds now. Fixes elastic#16212 Co-authored-by: MarcusCaepio <[email protected]> (cherry picked from commit ac2b333)
…essage 734001. (#17128) The split part is needed, because one has to be able to search for an explicit dap_record. As the records order and number can vary a lot, just saving the whole string makes no sense. I chose "user.email", "source.ip" as ECS fields and "cisco.connection_type", "cisco.dap_records", as looking to the syslog messages docs,they also call it like that. I made "make update" in /beats/x.pack/filebeat and /beats/filebeat. Hopefully the pipeline succeeds now. Fixes #16212 (cherry picked from commit ac2b333) Co-authored-by: MarcusCaepio <[email protected]>
Hopefully the pipeline runs sucessfully now.
- [ ] I have commented my code, particularly in hard-to-understand areas- [ ] I have made corresponding changes to the documentationHow to test this PR locally
Testfiles are included
Related issues
Use cases
Parsing VPN Logs for Cisco ASA and FTD