Closed willem-dhaese closed 2 months ago
F5 BIG-IP [f5_bigip]
f5_bigip.log
1.18.1
8.14.3
elasticsearch
RHEL9
No response
Processor convert with tag convert_x_forwarded_for_header_value_to_ip in pipeline logs-f5_bigip.log-1.18.1-pipeline_bigipasm failed with message: '10.43.24.23, 10.43.24.24' is not an IP string literal.
{ "attack_type": "N/A", "blocking_exception_reason": "N/A", "captcha_result": "not_received", "date_time": "2024-08-06T10:03:36.000Z", "dest_ip": "10.30.4.56", "dest_port": "443", "device_id": "N/A", "fragment": "", "geo_location": "N/A", "hostname": "f5qa", "http_class_name": "/Common/asmpolicy_lampqa", "ip_address_intelligence": "N/A", "ip_client": "10.43.24.23", "management_ip_address": "10.52.34.33", "management_ip_address_2": "N/A", "method": "HEAD", "microservice": "N/A", "originalRawData": "\u003c134\u003eAug 6 12:03:36 f5qa ASM:unit_hostname=\"f5qa\",management_ip_address=\"10.52.34.33\",management_ip_address_2=\"N/A\",http_class_name=\"/Common/asmpolicy_lampqa\",web_application_name=\"/Common/asmpolicy_lampqa\",policy_name=\"/Common/asmpolicy_lampqa\",policy_apply_date=\"2024-07-02 16:43:55\",violations=\"N/A\",support_id=\"5410866668007843666\",request_status=\"passed\",response_code=\"200\",ip_client=\"10.43.24.23\",route_domain=\"0\",method=\"HEAD\",protocol=\"HTTPS\",query_string=\"\",x_forwarded_for_header_value=\"10.43.24.23, 10.43.24.23\",sig_ids=\"N/A\",sig_names=\"N/A\",date_time=\"2024-08-06 12:03:36\",severity=\"Informational\",attack_type=\"N/A\",geo_location=\"N/A\",ip_address_intelligence=\"N/A\",username=\"N/A\",session_id=\"7a60af492530220b\",src_port=\"50668\",dest_port=\"443\",dest_ip=\"10.30.4.56\",sub_violations=\"N/A\",virus_name=\"N/A\",violation_rating=\"0\",websocket_direction=\"N/A\",websocket_message_type=\"N/A\",device_id=\"N/A\",staged_sig_ids=\"\",staged_sig_names=\"\",threat_campaign_names=\"N/A\",staged_threat_campaign_names=\"N/A\",blocking_exception_reason=\"N/A\",captcha_result=\"not_received\",microservice=\"N/A\",tap_event_id=\"N/A\",tap_vid=\"N/A\",vs_name=\"/Common/vs_externalqa13_443\",sig_cves=\"N/A\",staged_sig_cves=\"N/A\",uri=\"/repository/maven-public/io/netty/netty-codec-haproxy/4.1.110.Final/netty-codec-haproxy-4.1.110.Final.jar\",fragment=\"\",request=\"HEAD /repository/maven-public/io/netty/netty-codec-haproxy/4.1.110.Final/netty-codec-haproxy-4.1.110.Final.jar HTTP/1.1\\r\\nCache-Control: no-cache, no-store\\r\\nPragma: no-cache\\r\\nHost: domain.gent\\r\\nConnection: Keep-Alive\\r\\nUser-Agent: Apache-Maven/3.9.7 (Java 17.0.12; Windows 11 10.0)\\r\\nAccept-Encoding: gzip,deflate\\r\\nAuthorization: Basic dc2VydmljZWZhY3Rvcnk6TE1YaHZwRUxhRjJodEFScWFQkkk=\\r\\nX-Forwarded-For: 10.43.24.23, 10.43.24.23\\r\\nX-Forwarded-Proto: https\\r\\n\\r\\n\",response=\"Response logging disabled\"", "policy_apply_date": "2024-07-02 16:43:55", "policy_name": "/Common/asmpolicy_lampqa", "protocol": "HTTPS", "query_string": "", "request": "HEAD /repository/maven-public/io/netty/netty-codec-haproxy/4.1.110.Final/netty-codec-haproxy-4.1.110.Final.jar HTTP/1.1\\r\\nCache-Control: no-cache, no-store\\r\\nPragma: no-cache\\r\\nHost: domain.gent\\r\\nConnection: Keep-Alive\\r\\nUser-Agent: Apache-Maven/3.9.7 (Java 17.0.12; Windows 11 10.0)\\r\\nAccept-Encoding: gzip,deflate\\r\\nAuthorization: Basic dc2VydmljZWZhY3Rvcnk6TE1YaHZwRUxhRjJodEFScWFQkkk=\\r\\nX-Forwarded-For: 10.43.24.23, 10.43.24.24\\r\\nX-Forwarded-Proto: https\\r\\n\\r\\n", "request_status": "passed", "response": "Response logging disabled", "response_code": "200", "route_domain": "0", "session_id": "7a60af492530220b", "severity": "Informational", "sig_cves": "N/A", "sig_ids": "N/A", "sig_names": "N/A", "src_port": "50668", "staged_sig_cves": "N/A", "staged_sig_ids": "", "staged_sig_names": "", "staged_threat_campaign_names": "N/A", "sub_violations": "N/A", "support_id": "5410868666607846666", "tap_event_id": "N/A", "tap_vid": "N/A", "telemetryEventCategory": "ASM", "tenant": "Common", "threat_campaign_names": "N/A", "uri": "/repository/maven-public/io/netty/netty-codec-haproxy/4.1.110.Final/netty-codec-haproxy-4.1.110.Final.jar", "username": "N/A", "violation_rating": "0", "violations": "N/A", "virus_name": "N/A", "vs_name": "/Common/vs_externalqa13_443", "web_application_name": "/Common/asmpolicy_lampqa", "websocket_direction": "N/A", "websocket_message_type": "N/A", "x_forwarded_for_header_value": "10.43.24.23, 10.43.24.24" }
Normal f5_bigip.log integration setup
f5_bigip.log.x_forwarded_for_header_value is not indexed correctly.
f5_bigip.log.x_forwarded_for_header_value
Correctly parsed X-Forwarded-For and no errors.
Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)
Integration Name
F5 BIG-IP [f5_bigip]
Dataset Name
f5_bigip.log
Integration Version
1.18.1
Agent Version
8.14.3
Agent Output Type
elasticsearch
Elasticsearch Version
8.14.3
OS Version and Architecture
RHEL9
Software/API Version
No response
Error Message
Processor convert with tag convert_x_forwarded_for_header_value_to_ip in pipeline logs-f5_bigip.log-1.18.1-pipeline_bigipasm failed with message: '10.43.24.23, 10.43.24.24' is not an IP string literal.
Event Original
What did you do?
Normal f5_bigip.log integration setup
What did you see?
f5_bigip.log.x_forwarded_for_header_value
is not indexed correctly.What did you expect to see?
Correctly parsed X-Forwarded-For and no errors.
Anything else?
No response