[cisco_ftd] Fix grok failure with username with spaces on ftd message…

…ID. (elastic#11198) * [cisco_ftd] Fix grok failure with username with spaces on ftd messageID. * Update changelog PR number * Fix test files names * Change the pipeline grok per code review feedback
taylor-swanson · Oct 2, 2024 · 3d1a66e · 3d1a66e
1 parent 57e9855
commit 3d1a66e
Show file tree

Hide file tree

Showing 5 changed files with 72 additions and 7 deletions.
diff --git a/packages/cisco_ftd/changelog.yml b/packages/cisco_ftd/changelog.yml
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "3.4.2"
+  changes:
+    - description: "Fix grok failure with username with spaces on ftd messageID."
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/11198
 - version: "3.4.1"
   changes:
     - description: "Fix parsing issues with message IDs 210007, 305013, and 302023."

diff --git a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-ftd-username-with-spaces.log b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-ftd-username-with-spaces.log
@@ -0,0 +1 @@
+<166>: 2024 Aug 07 10:29:42 UTC ccafa9b4-b48a-4156-b3af-de2d35e5f432 : %FTD-auth-6-113039: Group <GroupPolicy_XXX> User <MacBook Pro belonging to bob.dylan.xyz.local> IP <10.10.4.100> AnyConnect parent session started.
diff --git a/...co_ftd/data_stream/log/_dev/test/pipeline/test-ftd-username-with-spaces.log-expected.json b/...co_ftd/data_stream/log/_dev/test/pipeline/test-ftd-username-with-spaces.log-expected.json
@@ -0,0 +1,59 @@
+{
+    "expected": [
+        {
+            "cisco": {
+                "ftd": {
+                    "suffix": "auth"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "action": "client-vpn-connected",
+                "code": "113039",
+                "original": "<166>: 2024 Aug 07 10:29:42 UTC ccafa9b4-b48a-4156-b3af-de2d35e5f432 : %FTD-auth-6-113039: Group <GroupPolicy_XXX> User <MacBook Pro belonging to bob.dylan.xyz.local> IP <10.10.4.100> AnyConnect parent session started.",
+                "severity": 6,
+                "timezone": "UTC"
+            },
+            "log": {
+                "level": "informational",
+                "syslog": {
+                    "facility": {
+                        "code": 20
+                    },
+                    "priority": 166,
+                    "severity": {
+                        "code": 6
+                    }
+                }
+            },
+            "observer": {
+                "product": "ftd",
+                "type": "idps",
+                "vendor": "Cisco"
+            },
+            "related": {
+                "ip": [
+                    "10.10.4.100"
+                ],
+                "user": [
+                    "MacBook Pro belonging to bob.dylan.xyz.local"
+                ]
+            },
+            "source": {
+                "address": "10.10.4.100",
+                "ip": "10.10.4.100",
+                "user": {
+                    "group": {
+                        "name": "GroupPolicy_XXX"
+                    },
+                    "name": "MacBook Pro belonging to bob.dylan.xyz.local"
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        }
+    ]
+}
diff --git a/packages/cisco_ftd/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_ftd/data_stream/log/elasticsearch/ingest_pipeline/default.yml
@@ -388,13 +388,12 @@ processors:
       if: '["113029","113030","113031","113032","113033","113034","113035","113036","113038","113039"].contains(ctx._temp_.cisco.message_id)'
       field: "message"
       description: "113029, 113030, 113031, 113032, 113033, 113034, 113035, 113036, 113038, 113039"
+      tag: "113039_group_user_ip"
       patterns:
-        - "Group <%{NOTSPACE:source.user.group.name}> User <%{CISCO_USER:source.user.name}> IP <%{IP:source.address}>"
-        - "Group %{NOTSPACE:source.user.group.name} User %{CISCO_USER:source.user.name} IP %{IP:source.address}"
+        - '^Group <%{NOTBRACKET:source.user.group.name}> User <%{NOTBRACKET:source.user.name}> IP <%{NOTBRACKET:source.address}>'
+        - '^Group %{NOTSPACE:source.user.group.name} User %{NOTSPACE:source.user.name} IP %{NOTSPACE:source.address}'
       pattern_definitions:
-        HOSTNAME: "\\b(?:[0-9A-Za-z][0-9A-Za-z_-]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z_-]{0,62}))*(\\.?|\\b)"
-        IPORHOST: "(?:%{IP}|%{HOSTNAME})"
-        CISCO_USER: ((LOCAL\\)?(%{HOSTNAME}\\)?%{USERNAME}(@%{HOSTNAME})?(, *%{NUMBER})?)
+        NOTBRACKET: "[^<>]+"
   - grok:
       if: "ctx._temp_.cisco.message_id == '113042'"
       field: "message"
@@ -2692,4 +2691,5 @@ on_failure:
       value: pipeline_error
   - append:
       field: "error.message"
-      value: "{{{ _ingest.on_failure_message }}}"
+      value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+
diff --git a/packages/cisco_ftd/manifest.yml b/packages/cisco_ftd/manifest.yml
@@ -1,7 +1,7 @@
 format_version: "3.0.3"
 name: cisco_ftd
 title: Cisco FTD
-version: "3.4.1"
+version: "3.4.2"
 description: Collect logs from Cisco FTD with Elastic Agent.
 type: integration
 categories:
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		<166>: 2024 Aug 07 10:29:42 UTC ccafa9b4-b48a-4156-b3af-de2d35e5f432 : %FTD-auth-6-113039: Group <GroupPolicy_XXX> User <MacBook Pro belonging to bob.dylan.xyz.local> IP <10.10.4.100> AnyConnect parent session started.