V1 Proxy Protocol headers parsed into host, proxy_host and proxy_port fields incorrectly

[brendanrjohnson]

Please post all product and debugging questions on our forum. Your questions will reach our wider community members there, and if we confirm that there is a bug, then we can open a new issue here.

For all general issues, please provide the following details for fast resolution:

• Version: 5.0.3
• Operating System: Centos 7 based Elastic docker image logstash-oss:6.2.0
• Config File (if you have sensitive info, please remove it):

input { tcp { port => 5002 proxy_protocol => true type => "cisco-asa" } }

• Sample Data:

{ "_index": "logstash-cisco-asa-2018.02.08", "_type": "doc", "_id": "U4pjdWEBuOTf8uMsTEIG", "_version": 1, "_score": null, "_source": { "timestamp": "Feb 08 2018 07:28:17", "type": "cisco-asa", "@timestamp": "2018-02-08T12:28:17.231Z", "log_sequence_number": "305012", "cisco_tag": "ASA-6-305012", "host": "PROXY TCP4 19", "@version": "1", "src_interface": "inside", "log_severity": "6", "proxy_host": "PROXY TCP4 19", "proxy_port": "PROX", "src_ip": "_IP_", "tags": [ "cisco" ], "host_ip": "_IP_", "action": "Teardown", "protocol": "TCP", "message": "Teardown dynamic TCP translation from inside: _IP_/42546 to outside:_IP_/42546 duration 0:00:00", "src_port": "42546", "xlate_type": "dynamic", "log_facility": "ASA", "src_locality": "private", "src_xlated_ip": "_IP_", "src_xlated_interface": "outside" }, "fields": { "@timestamp": [ "2018-02-08T12:28:17.231Z" ] }, "sort": [ 1518092897231 ] }

• Steps to Reproduce:

I have an nginx load balancer configured to send proxy protocol:

`server {

    listen                  5002;
    listen                  [::]:5002;
    proxy_timeout           600s;
    proxy_pass              tcp-5002-default-logstash-cisco-asa-processor-5002;
    proxy_protocol          on;

}

` The nginx server is using proxy protocol v1

The input plugin does not appear to be parsing the proxy protocol header correctly.

"host": "PROXY TCP4 19" "proxy_host": "PROXY TCP4 19" "proxy_port": "PROX"

This is the first time I have attempted to use proxy protocol with the tcp input so I don't know if I am not configuring it correctly or if this is a bug. Any help will be appreciated.

[colinsurprenant]

This look like it may be related to #80 and #51 ?

[brendanrjohnson]

It may be. Although #51 refers to JSON input. In my case, I am sending syslog from mostly Cisco switches. What can I provide to help troubleshoot the issue?

[colinsurprenant]

@brendanrjohnson can you provide your configuration details?