Closed inqueue closed 3 years ago
Good find. Easy fix to update the module.
Pinging @elastic/security-external-integrations (Team:Security-External Integrations)
I made the change to source_object
but I'm not even seeing it as a field thats parsed/set via Filebeat or the ingest pipeline (https://github.com/elastic/beats/blob/master/x-pack/filebeat/module/checkpoint/firewall/ingest/pipeline.yml). Are you doing it via a custom logstash pipeline?
I just created a draft PR. If you think it solves your issue, I will move take it out of draft.
./filebeat setup
checkpoint.source_object
According to https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk144192, Check Point module field
checkpoint.source_object
should be mapped as a string type instead of long. Events with the field can encounter amapper_parsing_exception
with the current template:Workaround
To workaround, override the default field mapping with an additional higher order template.
The field will have the correct mapping when a new Filebeat index is created.