Closed DylanRJohnston closed 3 days ago
Confirmed that this causes an error by posted to an Elastic containers
// POST /_ingest/pipeline/_simulate
{
"pipeline": {
"description": "parse cisco logs",
"processors": [
{
"dissect": {
"field": "message",
"pattern": "list %{cisco.ios.access_list} %{_temp_.event.action} %{network.iana_number} %{source.address} %{} %{destination.address}, %{source.packets} packet"
}
}
]
},
"docs": [
{
"_source": {
"message": "<166>352133: ASR920: Aug 3 08:04:47.140: %SEC-6-IPACCESSLOGNP: list ACL_CE-SECURITY denied 112 89.160.20.112 -> 224.0.0.18, 295 packets"
}
}
]
}
{
"docs": [
{
"error": {
"root_cause": [
{
"type": "find_match",
"reason": "Unable to find match for dissect pattern: list %{cisco.ios.access_list} %{_temp_.event.action} %{network.iana_number} %{source.address} %{} %{destination.address}, %{source.packets} packet against source: <166>352133: ASR920: Aug 3 08:04:47.140: %SEC-6-IPACCESSLOGNP: list ACL_CE-SECURITY denied 112 89.160.20.112 -> 224.0.0.18, 295 packets"
}
],
"type": "find_match",
"reason": "Unable to find match for dissect pattern: list %{cisco.ios.access_list} %{_temp_.event.action} %{network.iana_number} %{source.address} %{} %{destination.address}, %{source.packets} packet against source: <166>352133: ASR920: Aug 3 08:04:47.140: %SEC-6-IPACCESSLOGNP: list ACL_CE-SECURITY denied 112 89.160.20.112 -> 224.0.0.18, 295 packets"
}
}
]
}
Actually, turns out I'm stupid, I was posting the whole log line <166>352133: ASR920: Aug 3 08:04:47.140: %SEC-6-IPACCESSLOGNP: list ACL_CE-SECURITY denied 112 89.160.20.112 -> 224.0.0.18, 295 packets
instead of just list ACL_CE-SECURITY denied 112 89.160.20.112 -> 224.0.0.18, 295 packets
. Although it's still not clear to me why this works given the Elastic Documentation claims that dissect must match the entire pattern https://www.elastic.co/guide/en/elasticsearch/reference/current/dissect-processor.html#dissect-modifier-skip-right-padding
The Cisco IOS module has the following log line in its test data.
However the corresponding dissect doesn't handle the pluralization of the word
packet(s)
. Dissections must match the entire string, and so the trailings
causes the dissection to fail the whole pipeline.Given this counter example is in the test data, are the tests being properly evaluated? As far as I can tell, the problem in the dissection pattern has existed for over 3 years and the counter example has been in the test data for at least 2 years.