search

elastic / beats

:tropical_fish: Beats - Lightweight shippers for Elasticsearch & Logstash
https://www.elastic.co/products/beats
Other
12.17k stars 4.92k forks source link

[Check Point] Field checkpoint.source_object mapped incorrectly as long #25124

Closed inqueue closed 3 years ago

inqueue commented 3 years ago
  1. ./filebeat setup
  2. observe field mapping for checkpoint.source_object

According to https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk144192, Check Point module field checkpoint.source_object should be mapped as a string type instead of long. Events with the field can encounter a mapper_parsing_exception with the current template:

[2021-04-02T17:07:49,508][WARN ][logstash.outputs.elasticsearch][checkpoint-security][checkpoint-security] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"checkpoint-security_filebeat-7.11.2", :routing=>nil, :pipeline=>"filebeat-7.11.2-checkpoint-firewall-pipeline"}, #LogStash::Event:0x36ebe333], :response=>{"index"=>{"_index"=>"checkpoint-security_filebeat-7.11.2-2021.04.02-000021", "_type"=>"_doc", "_id"=>"2FYgk3gB7n6nMgM0RtU0", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse field [checkpoint.source_object] of type [long] in document with id '2FYgk3gB7n6nMgM0RtU0'. Preview of field's value: 'Africa'", "caused_by"=>{"type"=>"illegal_argument_exception", "reason"=>"For input string: "Africa""}}}}}

Workaround

To workaround, override the default field mapping with an additional higher order template.

PUT /_template/filebeat-checkpoint-source-object-override
{
  "order": 10,
  "index_patterns": [
    "filebeat-*"
  ],
  "mappings": {
    "properties": {
      "checkpoint": {
        "properties": {
          "source_object": {
            "ignore_above": 1024,
            "type": "keyword"
          }
        }
      }
    }
  }
}

The field will have the correct mapping when a new Filebeat index is created.

legoguy1000 commented 3 years ago

Good find. Easy fix to update the module.

elasticmachine commented 3 years ago

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

legoguy1000 commented 3 years ago

I made the change to source_object but I'm not even seeing it as a field thats parsed/set via Filebeat or the ingest pipeline (https://github.com/elastic/beats/blob/master/x-pack/filebeat/module/checkpoint/firewall/ingest/pipeline.yml). Are you doing it via a custom logstash pipeline?

legoguy1000 commented 3 years ago

I just created a draft PR. If you think it solves your issue, I will move take it out of draft.