search

elastic / integrations

Elastic Integrations
https://www.elastic.co/integrations
Other
186 stars 387 forks source link

[CiscoIOS] Incorrect Parsing of IPACCESSLOGSP events, integration tests not running in CI? #10253

Closed DylanRJohnston closed 3 days ago

DylanRJohnston commented 3 days ago

The Cisco IOS module has the following log line in its test data.

<166>352133: ASR920: Aug 3 08:04:47.140: %SEC-6-IPACCESSLOGNP: list ACL_CE-SECURITY denied 112 89.160.20.112 -> 224.0.0.18, 295 packets

However the corresponding dissect doesn't handle the pluralization of the word packet(s). Dissections must match the entire string, and so the trailing s causes the dissection to fail the whole pipeline.

  - dissect:
      field: message
      tag: dissect_gnp
      pattern: "list %{cisco.ios.access_list} %{_temp_.event.action} %{network.iana_number} %{source.address} %{} %{destination.address}, %{source.packets} packet"
      if: "['IPACCESSLOGNP', 'ACCESSLOGNP'].contains(ctx.event?.code)"

Given this counter example is in the test data, are the tests being properly evaluated? As far as I can tell, the problem in the dissection pattern has existed for over 3 years and the counter example has been in the test data for at least 2 years.

DylanRJohnston commented 3 days ago

Confirmed that this causes an error by posted to an Elastic containers

// POST /_ingest/pipeline/_simulate
{
    "pipeline": {
        "description": "parse cisco logs",
        "processors": [
            {
                "dissect": {
                    "field": "message",
                    "pattern": "list %{cisco.ios.access_list} %{_temp_.event.action} %{network.iana_number} %{source.address} %{} %{destination.address}, %{source.packets} packet"
                }
            }
        ]
    },
    "docs": [
        {
            "_source": {
                "message": "<166>352133: ASR920: Aug 3 08:04:47.140: %SEC-6-IPACCESSLOGNP: list ACL_CE-SECURITY denied 112 89.160.20.112 -> 224.0.0.18, 295 packets" 
            }
        }
    ]
}
{
    "docs": [
        {
            "error": {
                "root_cause": [
                    {
                        "type": "find_match",
                        "reason": "Unable to find match for dissect pattern: list %{cisco.ios.access_list} %{_temp_.event.action} %{network.iana_number} %{source.address} %{} %{destination.address}, %{source.packets} packet against source: <166>352133: ASR920: Aug 3 08:04:47.140: %SEC-6-IPACCESSLOGNP: list ACL_CE-SECURITY denied 112 89.160.20.112 -> 224.0.0.18, 295 packets"
                    }
                ],
                "type": "find_match",
                "reason": "Unable to find match for dissect pattern: list %{cisco.ios.access_list} %{_temp_.event.action} %{network.iana_number} %{source.address} %{} %{destination.address}, %{source.packets} packet against source: <166>352133: ASR920: Aug 3 08:04:47.140: %SEC-6-IPACCESSLOGNP: list ACL_CE-SECURITY denied 112 89.160.20.112 -> 224.0.0.18, 295 packets"
            }
        }
    ]
}
DylanRJohnston commented 3 days ago

Actually, turns out I'm stupid, I was posting the whole log line <166>352133: ASR920: Aug 3 08:04:47.140: %SEC-6-IPACCESSLOGNP: list ACL_CE-SECURITY denied 112 89.160.20.112 -> 224.0.0.18, 295 packets instead of just list ACL_CE-SECURITY denied 112 89.160.20.112 -> 224.0.0.18, 295 packets. Although it's still not clear to me why this works given the Elastic Documentation claims that dissect must match the entire pattern https://www.elastic.co/guide/en/elasticsearch/reference/current/dissect-processor.html#dissect-modifier-skip-right-padding