elasticmachine
commented
1 month ago Pinging @elastic/sec-deployment-and-devices (Team:Security-Deployment and Devices)
Closed agmic closed 1 month ago
elasticmachine
commented
1 month ago Pinging @elastic/sec-deployment-and-devices (Team:Security-Deployment and Devices)
We are getting parsing errors on some Cisco FTD logs with message id 722051.
The pipeline fails on parsing the users name when the it is written with spaces as the processor uses a "NOTSPACE" grok pattern
https://github.com/elastic/integrations/blob/b9a416c667a13e732c1a1f15eb722476c38b4ea5/packages/cisco_ftd/data_stream/log/elasticsearch/ingest_pipeline/default.yml#L835
An example log is here:
<164>Jul 16 2024 12:30:30: %FTD-4-722051: Group <ADM-AnyConnectGroup> User <Anders Elkjær Andersen> IP <11.22.33.44> IPv4 Address <172.16.1.1> IPv6 address <::> assigned to sessionWe have only seen these logs when the users name is surrounded by "<" ">", so it may be possible to switch to GREEDYDATA or some other regex pattern. I haven't been able to track down what values cisco accepts in this field.
As an aside, shouldn't these GROK expressions be anchored at the start as well?