[Filebeat][Cisco ASA] log enhancement and performance#24744
Merged
andrewkroh merged 23 commits intoelastic:masterfrom Apr 19, 2021
Merged
[Filebeat][Cisco ASA] log enhancement and performance#24744andrewkroh merged 23 commits intoelastic:masterfrom
andrewkroh merged 23 commits intoelastic:masterfrom
Conversation
- Fixed some ECS issues - added anchors on grok patterns for performance - added messages: ------------------------- 434004 434002 713905 750002 750003 110002 419002 602304 602303 713120 713202 713901 713904 713906 713905 ------------------------- - with the messages pattern added also this commit add four new event action types in the script that mapped event actions to the event.kind/category/type - added set processor for adding outcome, action and protocol if necessary for the new messages
fix parsing error and add enhancements
fix 602303
commit after running tests.
… space in between is optional in log message
This fixing finally 106014.
We have, afaik, two options. Use IPORHOST to not match '(type' or using '(?<destination.address>[^ (]*)' so we only dispense on space or '(' for the case destination.address is weird.
NOTSPACE is not work in this case.
…/beats into evoila-ingestCiscoMessagePattern
Contributor
|
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
6 tasks
Contributor
💚 Build Succeeded
Expand to view the summary
Build stats
Test stats 🧪
Trends 🧪💚 Flaky test reportTests succeeded. Expand to view the summary
Test stats 🧪
|
Member
Author
|
jenkins, run tests |
Contributor
|
This pull request is now in conflicts. Could you fix it? 🙏 |
mergify bot
pushed a commit
that referenced
this pull request
Apr 19, 2021
* ecs fix - more message pattern
- Fixed some ECS issues
- added anchors on grok patterns for performance
- added messages:
-------------------------
434004
434002
713905
750002
750003
110002
419002
602304
602303
713120
713202
713901
713904
713906
713905
-------------------------
- with the messages pattern added also this commit add four new event action types in the script that mapped event actions to the event.kind/category/type
- added set processor for adding outcome, action and protocol if necessary for the new messages
* Update asa-ftd-pipeline.yml
* Update asa-ftd-pipeline.yml
fix parsing error
and add enhancements
* Update asa-ftd-pipeline.yml
fix 602303
* testing for PR and some minor fixes
* commit for requested changes
* newline
* test
* make test commit
commit after running tests.
* Fix parsing on 106014 with an additional ${SPACE} in grok pattern, so space in between is optional in log message
* fixed 106014 finally
This fixing finally 106014.
We have, afaik, two options. Use IPORHOST to not match '(type' or using '(?<destination.address>[^ (]*)' so we only dispense on space or '(' for the case destination.address is weird.
NOTSPACE is not work in this case.
* after test commit
* Test after merge
* Update generated
* Add changelog
* Undo meraki generated file changes
* Update generated
Co-authored-by: pcosic <pcosic@evoila.de>
Co-authored-by: pcosic <69909732+pcosic@users.noreply.github.com>
(cherry picked from commit 226485b)
v1v
added a commit
to v1v/beats
that referenced
this pull request
Apr 20, 2021
…-github-pr-comment-template * upstream/master: [Ingest Manager] Keep http and logging config during enroll (elastic#25132) Refactor kubernetes autodiscover to avoid skipping short-living pods (elastic#24742) [libbeat] New decode xml wineventlog processor (elastic#25115) Add svc to agent k8s clusterRole (elastic#25146) Add awsfargate module to collect container logs from Amazon ECS on Fargate (elastic#25041) [Filebeat][Cisco ASA] log enhancement and performance (elastic#24744) Watch kubernetes namespaces for autodiscover metadata for pods (elastic#25117) Cyberark Privileged Access Security module (elastic#24803) [Elastic Agent] Log the container command output with LOGS_PATH (elastic#25150) Fix for tests after `device...` field has been removed (elastic#25141) [Ingest Manager] Restart process on output change (elastic#24907) Set --insecure in container when FLEET_SERVER_ENABLE and FLEET_INSECURE set. (elastic#25137) [filebeat] Update documentation / changelog / beta warnings for the syslog input (elastic#25047) Add support for ignore_inactive in filestream input (elastic#25036) Fix bug with annotations dedot config on k8s not used (elastic#25111)
andrewkroh
added a commit
that referenced
this pull request
Apr 20, 2021
* ecs fix - more message pattern
- Fixed some ECS issues
- added anchors on grok patterns for performance
- added messages:
-------------------------
434004
434002
713905
750002
750003
110002
419002
602304
602303
713120
713202
713901
713904
713906
713905
-------------------------
- with the messages pattern added also this commit add four new event action types in the script that mapped event actions to the event.kind/category/type
- added set processor for adding outcome, action and protocol if necessary for the new messages
* Update asa-ftd-pipeline.yml
* Update asa-ftd-pipeline.yml
fix parsing error
and add enhancements
* Update asa-ftd-pipeline.yml
fix 602303
* testing for PR and some minor fixes
* commit for requested changes
* newline
* test
* make test commit
commit after running tests.
* Fix parsing on 106014 with an additional ${SPACE} in grok pattern, so space in between is optional in log message
* fixed 106014 finally
This fixing finally 106014.
We have, afaik, two options. Use IPORHOST to not match '(type' or using '(?<destination.address>[^ (]*)' so we only dispense on space or '(' for the case destination.address is weird.
NOTSPACE is not work in this case.
* after test commit
* Test after merge
* Update generated
* Add changelog
* Undo meraki generated file changes
* Update generated
Co-authored-by: pcosic <pcosic@evoila.de>
Co-authored-by: pcosic <69909732+pcosic@users.noreply.github.com>
(cherry picked from commit 226485b)
andrewkroh
added a commit
that referenced
this pull request
Apr 20, 2021
… (#25158) * [Filebeat][Cisco ASA] log enhancement and performance (#24744) * ecs fix - more message pattern - Fixed some ECS issues - added anchors on grok patterns for performance - added messages: ------------------------- 434004 434002 713905 750002 750003 110002 419002 602304 602303 713120 713202 713901 713904 713906 713905 ------------------------- - with the messages pattern added also this commit add four new event action types in the script that mapped event actions to the event.kind/category/type - added set processor for adding outcome, action and protocol if necessary for the new messages * Update asa-ftd-pipeline.yml * Update asa-ftd-pipeline.yml fix parsing error and add enhancements * Update asa-ftd-pipeline.yml fix 602303 * testing for PR and some minor fixes * commit for requested changes * newline * test * make test commit commit after running tests. * Fix parsing on 106014 with an additional ${SPACE} in grok pattern, so space in between is optional in log message * fixed 106014 finally This fixing finally 106014. We have, afaik, two options. Use IPORHOST to not match '(type' or using '(?<destination.address>[^ (]*)' so we only dispense on space or '(' for the case destination.address is weird. NOTSPACE is not work in this case. * after test commit * Test after merge * Update generated * Add changelog * Undo meraki generated file changes * Update generated Co-authored-by: pcosic <pcosic@evoila.de> Co-authored-by: pcosic <69909732+pcosic@users.noreply.github.com> (cherry picked from commit 226485b) * geoip updates Co-authored-by: Andrew Kroh <andrew.kroh@elastic.co>
3 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The revives #20831 which I didn't have edit permissions on.
What does this PR do?
This PR resolve some reported issues with ECS and Cisco ASA/FTD and is adding new message patterns.
Overview of the Changes:
Why is it important?
We think that these are one of the most used message types in Cisco ASA logs.
Adding the anchors increases the throughput/performance. It is described in more detail in this blog article https://www.elastic.co/blog/do-you-grok-grok. We need more event.actions for specific logs/events.
Checklist
CHANGELOG.next.asciidocorCHANGELOG-developer.next.asciidoc.Related issues