elastic / integrations

Elastic Integrations
https://www.elastic.co/integrations
Other
42 stars 451 forks source link

[Cisco IOS] Syslog messages not parsed after upgrade to 1.26.6 #9857

Closed iaalmeida closed 6 months ago

iaalmeida commented 6 months ago

Kibana version: 8.13.3 Elasticsearch version: 8.13.3

After upgrade Fleet Cisco IOS Integration from version 1.25.1 to version 1.26.6, parsing of Cisco syslog messages stopped working. Now the fields are not automatically populated. My syslog messages have the following format:

<189>387448: host-01: May 6 16:13:09.123 UTC+1: %DOT1X-5-FAIL: Authentication failed for client (001e.0b80.13b5) on Interface Gi1/0/16 AuditSessionID 000000000000011D51B826E5 Steps to reproduce: Upgrade Cisco IOS Integration from version 1.25.1 to version 1.26.6 Expected behavior: No behaviour change in message parsing. Any additional context: I've verified the ingest pipeline from these two versions and confirmed than the old grok patterns from 1.25.1 are ok, but not the new ones.
elasticmachine commented 6 months ago

Pinging @elastic/sec-deployment-and-devices (Team:Security-Deployment and Devices)

pkoutsovasilis commented 6 months ago

thanks for catching this one @iaalmeida , I have been able to reproduce what you observe. I have identified the issue and soon a PR fixing it will be there for the team to review 🙂

iaalmeida commented 6 months ago

Nice! Thank you

pkoutsovasilis commented 6 months ago

@iaalmeida as an update the issue turned out to be two-fold; indeed the changes introduced by v1.26.0 made the grok patterns incompatible with log entries that contained timestamps with timezones. However, during fixing that, another issue with how the integration was handling such timestamps surfaced. Both of these now should be addressed and you shouldn't face what you report here

Package cisco_ios - 1.26.8 containing this change is available at https://epr.elastic.co/search?package=cisco_ios

Please give it a try on your end as well and update the issue accordingly 🙂

iaalmeida commented 6 months ago

Hi @pkoutsovasilis, everything is working fine after upgrade to v.1.26.8 Thank you again for all your support 🙂