Filebeat Cisco module parsing sequence numbers with leading 0s as octal

[ycombinator]

Originally reported in https://discuss.elastic.co/t/cisco-module-arbitrary-parse-error-with-nearly-identical-messages/214884.

When the Filebeat (X-Pack) cisco/ios fileset is enabled and it encounters the following log line:

Jan 13 18:12:31 RO-ROM-VPN-KYOSA 022084: Jan 13 18:12:35.141 LCY: %SEC-6-IPACCESSLOGP: list 101 denied tcp 120.131.176.111(7133) -> 170.257.123.53(7547), 1 packet  

It fails with the following error:

GoError: failed in processor.convert: conversion of field [event.sequence] to type [long] failed: unable to convert value [022084]: strconv.ParseInt: parsing "022084": invalid syntax

However, parsing succeeds with a very similar line:

Jan 13 17:12:30 RO-ROM-VPN-KYOSA 021176: Jan 13 17:12:33.168 LCY: %SEC-6-IPACCESSLOGP: list 101 denied tcp 191.128.99.50(43651) -> 170.257.123.53(9943), 1 packet

---

Looking at the Cisco module source code, I believe this is where the failure is coming from:

beats/x-pack/filebeat/module/cisco/ios/config/pipeline.js

Lines 98 to 103 in 43eb364

	.Convert({
	fields: [
	{from: "event.sequence", type: "long"},
	],
	ignore_missing: true,
	})

Specifically, that bit of code tries to parse the sequence number string as an integer. It sees the leading 0 and tries to parse the string that follows as an octal (base 8) number. Since base 8 numbers can only have digits 0-7 in them, parsing of 022084 fails but parsing of 021176 succeeds.

I think the intent here is to parse the sequence number as a decimal (base 10) number.

[elasticmachine]

Pinging @elastic/siem (Team:SIEM)

[andrewkroh]

I think we need to change the behavior of the convert processor to handle only hex and decimal. Leading zeros should be treated as decimal and not octal. This is consistent with the ingest node convert processor. https://github.com/elastic/elasticsearch/blob/34d006f82a3061f56c76266be2971a7db3bde4c6/modules/ingest-common/src/test/java/org/elasticsearch/ingest/common/ConvertProcessorTests.java#L62-L67