Integration Name
AWS [aws]
Integration Version
2.21.0
Agent Version
8.14
Agent Output Type
elasticsearch
Elasticsearch Version
8.14
OS Version and Architecture
UbunTu 20.04 LTS
Software/API Version
No response
Error Message
Processor "dissect" with tag "" in pipeline "logs-aws.cloudtrail-2.21.0" failed with message "Unable to find match for dissect pattern: %{tls.version_protocol}v%{tls.version} against source: tlsVersion"
Event Original
I don't have access to the raw event directly but partially data shows the following:
{
"json": {
"awsRegion": "eu-west-1",
"userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0",
"userIdentity": {},
"additionalEventData": {
"result": {
"statusType": "success",
"statusCode": "200"
},
"ipAddress": "1.2.3.4, 192.168.0.100",
"action": "action",
"userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0",
"additionalData": {},
"user": {
"isAnonymous": false,
"orgRole": "Admin",
"name": "some.user@example.com",
"userId": 2,
"orgId": 1
},
"timestamp": "2024-07-26T11:54:41.794979044Z"
},
"eventTime": "2024-07-26T11:54:41Z",
"eventName": "action",
"tlsDetails": {
"tlsVersion": "tlsVersion",
"cipherSuite": "cipherSuite",
"clientProvidedHostHeader": "clientProvidedHostHeader"
}
}
}What did you do?
Logs are collected using the Elastic Serverless Forwarder, no specific configuration whatsoever.
What did you see?
From time to time, logs' processing fails and the error.message field is set. The json.tlsDetails fields does not contain data. The raw event seems to contains only this:
{
"tlsDetails": {
"tlsVersion": "tlsVersion",
"cipherSuite": "cipherSuite",
"clientProvidedHostHeader": "clientProvidedHostHeader"
}
}"Faulty" processor: https://github.com/elastic/integrations/blob/main/packages/aws/data_stream/cloudtrail/elasticsearch/ingest_pipeline/default.yml#L764.
What did you expect to see?
No error in processing the logs, empty fields for tls.version_protocol and tls.version. May be a conditional execution on the processor to avoid running it if json.tlsDetails.tlsVersion equals tlsVersion.
Anything else?
The following processors handling cipherSuite and clientProvidedHostHeader would need the same fix.
Integration Name
AWS [aws]
Integration Version
2.21.0
Agent Version
8.14
Agent Output Type
elasticsearch
Elasticsearch Version
8.14
OS Version and Architecture
UbunTu 20.04 LTS
Software/API Version
No response
Error Message
Processor "dissect" with tag "" in pipeline "logs-aws.cloudtrail-2.21.0" failed with message "Unable to find match for dissect pattern: %{tls.version_protocol}v%{tls.version} against source: tlsVersion"
Event Original
I don't have access to the raw event directly but partially data shows the following:
{ "json": { "awsRegion": "eu-west-1", "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0", "userIdentity": {}, "additionalEventData": { "result": { "statusType": "success", "statusCode": "200" }, "ipAddress": "1.2.3.4, 192.168.0.100", "action": "action", "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0", "additionalData": {}, "user": { "isAnonymous": false, "orgRole": "Admin", "name": "some.user@example.com", "userId": 2, "orgId": 1 }, "timestamp": "2024-07-26T11:54:41.794979044Z" }, "eventTime": "2024-07-26T11:54:41Z", "eventName": "action", "tlsDetails": { "tlsVersion": "tlsVersion", "cipherSuite": "cipherSuite", "clientProvidedHostHeader": "clientProvidedHostHeader" } } }What did you do?
Logs are collected using the Elastic Serverless Forwarder, no specific configuration whatsoever.
What did you see?
From time to time, logs' processing fails and the
error.messagefield is set. Thejson.tlsDetailsfields does not contain data. The raw event seems to contains only this:{ "tlsDetails": { "tlsVersion": "tlsVersion", "cipherSuite": "cipherSuite", "clientProvidedHostHeader": "clientProvidedHostHeader" } }"Faulty" processor: https://github.com/elastic/integrations/blob/main/packages/aws/data_stream/cloudtrail/elasticsearch/ingest_pipeline/default.yml#L764.
What did you expect to see?
No error in processing the logs, empty fields for
tls.version_protocolandtls.version. May be a conditional execution on the processor to avoid running it ifjson.tlsDetails.tlsVersionequalstlsVersion.Anything else?
The following processors handling
cipherSuiteandclientProvidedHostHeaderwould need the same fix.