From 1144f99c6958162d3b502823161af3563ecf9c74 Mon Sep 17 00:00:00 2001 From: Dan Kortschak Date: Fri, 22 Apr 2022 10:47:35 +0930 Subject: [PATCH 1/2] cisco_duo: simplify grok expression for handling ports --- packages/cisco_duo/changelog.yml | 5 +++++ .../elasticsearch/ingest_pipeline/default.yml | 20 +++++++++---------- packages/cisco_duo/manifest.yml | 2 +- 3 files changed, 16 insertions(+), 11 deletions(-) diff --git a/packages/cisco_duo/changelog.yml b/packages/cisco_duo/changelog.yml index fc9b9e8d782..e43c967d8b0 100644 --- a/packages/cisco_duo/changelog.yml +++ b/packages/cisco_duo/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.1.6" + changes: + - description: Simplify IP grok patterns. + type: enhancement + link: https://github.com/elastic/integrations/pull/nnnn - version: "1.1.5" changes: - description: Fix handling of IP addresses with port numbers. diff --git a/packages/cisco_duo/data_stream/auth/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_duo/data_stream/auth/elasticsearch/ingest_pipeline/default.yml index e854f9b5024..130c2954e85 100644 --- a/packages/cisco_duo/data_stream/auth/elasticsearch/ingest_pipeline/default.yml +++ b/packages/cisco_duo/data_stream/auth/elasticsearch/ingest_pipeline/default.yml @@ -50,14 +50,14 @@ processors: - grok: field: json.access_device.ip patterns: - - "^%{IPV4:json.access_device.ip}:%{NUMBER:json.access_device.port}$" - - "^\\[%{IPV6:json.access_device.ip}\\]:%{NUMBER:json.access_device.port}$" - - "^%{IPV6NOCOMPRESS:json.access_device.ip}:%{NUMBER:json.access_device.port}$" - - "^%{IPV6:json.access_device.ip}%{IPV6PORTSEP}%{NUMBER:json.access_device.port}$" - - "^%{IPV6:json.access_device.ip}%{IPV6PORTSEP}%{POSINT:json.access_device.port}$" + - "^%{IPV4:json.access_device.ip}:%{PORT:json.access_device.port}$" + - "^\\[%{IPV6:json.access_device.ip}\\]:%{PORT:json.access_device.port}$" + - "^%{IPV6NOCOMPRESS:json.access_device.ip}:%{PORT:json.access_device.port}$" + - "^%{IPV6:json.access_device.ip}%{IPV6PORTSEP}%{PORT:json.access_device.port}$" pattern_definitions: IPV6NOCOMPRESS: '([0-9A-Fa-f]{1,4}:){7}[0-9A-Fa-f]{1,4}' IPV6PORTSEP: '(?: port |[p#.])' + PORT: '[0-9]+' ignore_missing: true ignore_failure: true - convert: @@ -79,14 +79,14 @@ processors: - grok: field: json.auth_device.ip patterns: - - "^%{IPV4:json.auth_device.ip}:%{NUMBER:json.auth_device.port}$" - - "^\\[%{IPV6:json.auth_device.ip}\\]:%{NUMBER:json.auth_device.port}$" - - "^%{IPV6NOCOMPRESS:json.auth_device.ip}:%{NUMBER:json.auth_device.port}$" - - "^%{IPV6:json.auth_device.ip}%{IPV6PORTSEP}%{NUMBER:json.auth_device.port}$" - - "^%{IPV6:json.auth_device.ip}%{IPV6PORTSEP}%{POSINT:json.auth_device.port}$" + - "^%{IPV4:json.auth_device.ip}:%{PORT:json.auth_device.port}$" + - "^\\[%{IPV6:json.auth_device.ip}\\]:%{PORT:json.auth_device.port}$" + - "^%{IPV6NOCOMPRESS:json.auth_device.ip}:%{PORT:json.auth_device.port}$" + - "^%{IPV6:json.auth_device.ip}%{IPV6PORTSEP}%{PORT:json.auth_device.port}$" pattern_definitions: IPV6NOCOMPRESS: '([0-9A-Fa-f]{1,4}:){7}[0-9A-Fa-f]{1,4}' IPV6PORTSEP: '(?: port |[p#.])' + PORT: '[0-9]+' ignore_missing: true ignore_failure: true - convert: diff --git a/packages/cisco_duo/manifest.yml b/packages/cisco_duo/manifest.yml index 897945822e3..6dfe08a634f 100644 --- a/packages/cisco_duo/manifest.yml +++ b/packages/cisco_duo/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: cisco_duo title: Cisco Duo -version: 1.1.5 +version: 1.1.6 license: basic description: Collect logs from Cisco Duo with Elastic Agent. type: integration From 7573b38eae90140b5445529276bba1ab4d917f81 Mon Sep 17 00:00:00 2001 From: Dan Kortschak <90160302+efd6@users.noreply.github.com> Date: Fri, 22 Apr 2022 10:50:40 +0930 Subject: [PATCH 2/2] Update packages/cisco_duo/changelog.yml --- packages/cisco_duo/changelog.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/cisco_duo/changelog.yml b/packages/cisco_duo/changelog.yml index e43c967d8b0..446b0652ded 100644 --- a/packages/cisco_duo/changelog.yml +++ b/packages/cisco_duo/changelog.yml @@ -3,7 +3,7 @@ changes: - description: Simplify IP grok patterns. type: enhancement - link: https://github.com/elastic/integrations/pull/nnnn + link: https://github.com/elastic/integrations/pull/3170 - version: "1.1.5" changes: - description: Fix handling of IP addresses with port numbers.