x-filebeat/modules/cisco: fix syslog priority handling#32025
Merged
efd6 merged 3 commits intoelastic:mainfrom Jun 23, 2022
Merged
x-filebeat/modules/cisco: fix syslog priority handling#32025efd6 merged 3 commits intoelastic:mainfrom
efd6 merged 3 commits intoelastic:mainfrom
Conversation
efd6
added
bug
Team:Security-External Integrations
backport-v8.3.0
Contributor
|
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
botelastic
bot
added
needs_team
5 tasks
efd6
changed the title
Contributor
💚 Build Succeeded
Expand to view the summary
Build stats
Test stats 🧪
💚 Flaky test reportTests succeeded. 🤖 GitHub commentsTo re-run your PR in the CI, just comment with:
|
Contributor
Author
|
Windows failures look to be unrelated. |
Contributor
Author
|
/test |
andrewkroh
approved these changes
Jun 22, 2022
Contributor
Author
|
@andrewkroh What is your preferred approach to dealing with the test case? |
This is a temporary work around for the test case line
<14.2>Aug 14 2019 14:02:38 platformSettingEdit.cgi: siem-management: admin@10.0.255.31, Devices > Platform Settings > Audit Log Settings > Modified: Send Audit Log to Syslog enabled > Disabled
which includes an invalid syslog priority. This format does not appear anywhere
that I can find in the Cisco documentation and I cannot find another similar
example.
The original grok pattern definition was
<%{NONNEGINT:syslog.facility:int}(?:.%{NONNEGINT:syslog.priority:int})?>
which gives a result for this input that does not make sense since pri > facility
according to the specs. Perhaps facility.severity? But this is inconsistent with
the remaining log lines and also with the semantics of the log line here. The
alternative interpretations:
- 14.2 → facility 14 severity 2 → "log alert", "Critical"
- 14 → facility 1 severity 6 → "user-level messages", "Informational"
My suspicion is that it is a corrupted input.
Member
I also tried to find outside examples that had this format and it turned up nothing. So removing it is good with me. If we're wrong then we can add it back. |
Contributor
Author
|
It would be nice to know the provenance of the test case file since it is text with |
diff --git a/x-pack/filebeat/module/cisco/ftd/test/firepower-management.log2 b/x-pack/filebeat/module/cisco/ftd/test/firepower-management.log2 index cf204804bb..e362bb7f2d 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/firepower-management.log +++ b/x-pack/filebeat/module/cisco/ftd/test/firepower-management.log @@ -31,4 +31,4 @@ <14>Aug 14 2019 14:02:19 mojo_server.pl: siem-management: admin@10.0.255.31, System > Configuration > Configuration, Page View <14>Aug 14 2019 14:02:31 platformSettingEdit.cgi: siem-management: admin@10.0.255.31, System > Configuration > Configuration > /platinum/platformSettingEdit.cgi?type=AuditLog, Page View <14>Aug 14 2019 14:02:38 platformSettingEdit.cgi: siem-management: admin@10.0.255.31, Devices > Platform Settings > Local System Configuration, Save Local System Configuration -<14.2>Aug 14 2019 14:02:38 platformSettingEdit.cgi: siem-management: admin@10.0.255.31, Devices > Platform Settings > Audit Log Settings > Modified: Send Audit Log to Syslog enabled > Disabled +<14>Aug 14 2019 14:02:38 platformSettingEdit.cgi: siem-management: admin@10.0.255.31, Devices > Platform Settings > Audit Log Settings > Modified: Send Audit Log to Syslog enabled > Disabled
mergify bot
pushed a commit
that referenced
this pull request
Jun 23, 2022
With this change one of the existing test cases fails because of a non-
standard syslog pri value.
<14.2>Aug 14 2019 14:02:38 platformSettingEdit.cgi: siem-management: admin@10.0.255.31, Devices > Platform Settings > Audit Log Settings > Modified: Send Audit Log to Syslog enabled > Disabled
This format does not appear anywhere that I can find in the Cisco
documentation and I cannot find another similar example.
The original grok pattern definition was
<%{NONNEGINT:syslog.facility:int}(?:.%{NONNEGINT:syslog.priority:int})?>
which gives a result for this input that does not make sense since pri > facility
according to the specs. Perhaps facility.severity? But this is inconsistent with
the remaining log lines and also with the semantics of the log line here. The
alternative interpretations are:
- 14.2 → facility 14 severity 2 → "log alert", "Critical"
- 14 → facility 1 severity 6 → "user-level messages", "Informational"
Note also that the pattern definition uses an unescaped dot rather than
a dot literal which is surprising.
My suspicion is that it is a corrupted input and I have edited it to prevent
the failure. Since the input is line terminated by "\00x0a\00x00" it shows
us as a binary file in the diff, so the change is shown here:
diff --git a/x-pack/filebeat/module/cisco/ftd/test/firepower-management.log2 b/x-pack/filebeat/module/cisco/ftd/test/firepower-management.log2
index cf204804bb..e362bb7f2d 100644
--- a/x-pack/filebeat/module/cisco/ftd/test/firepower-management.log
+++ b/x-pack/filebeat/module/cisco/ftd/test/firepower-management.log
@@ -31,4 +31,4 @@
<14>Aug 14 2019 14:02:19 mojo_server.pl: siem-management: admin@10.0.255.31, System > Configuration > Configuration, Page View
<14>Aug 14 2019 14:02:31 platformSettingEdit.cgi: siem-management: admin@10.0.255.31, System > Configuration > Configuration > /platinum/platformSettingEdit.cgi?type=AuditLog, Page View
<14>Aug 14 2019 14:02:38 platformSettingEdit.cgi: siem-management: admin@10.0.255.31, Devices > Platform Settings > Local System Configuration, Save Local System Configuration
-<14.2>Aug 14 2019 14:02:38 platformSettingEdit.cgi: siem-management: admin@10.0.255.31, Devices > Platform Settings > Audit Log Settings > Modified: Send Audit Log to Syslog enabled > Disabled
+<14>Aug 14 2019 14:02:38 platformSettingEdit.cgi: siem-management: admin@10.0.255.31, Devices > Platform Settings > Audit Log Settings > Modified: Send Audit Log to Syslog enabled > Disabled
(cherry picked from commit ea65707)
# Conflicts:
# x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json
mergify bot
pushed a commit
that referenced
this pull request
Jun 23, 2022
With this change one of the existing test cases fails because of a non-
standard syslog pri value.
<14.2>Aug 14 2019 14:02:38 platformSettingEdit.cgi: siem-management: admin@10.0.255.31, Devices > Platform Settings > Audit Log Settings > Modified: Send Audit Log to Syslog enabled > Disabled
This format does not appear anywhere that I can find in the Cisco
documentation and I cannot find another similar example.
The original grok pattern definition was
<%{NONNEGINT:syslog.facility:int}(?:.%{NONNEGINT:syslog.priority:int})?>
which gives a result for this input that does not make sense since pri > facility
according to the specs. Perhaps facility.severity? But this is inconsistent with
the remaining log lines and also with the semantics of the log line here. The
alternative interpretations are:
- 14.2 → facility 14 severity 2 → "log alert", "Critical"
- 14 → facility 1 severity 6 → "user-level messages", "Informational"
Note also that the pattern definition uses an unescaped dot rather than
a dot literal which is surprising.
My suspicion is that it is a corrupted input and I have edited it to prevent
the failure. Since the input is line terminated by "\00x0a\00x00" it shows
us as a binary file in the diff, so the change is shown here:
diff --git a/x-pack/filebeat/module/cisco/ftd/test/firepower-management.log2 b/x-pack/filebeat/module/cisco/ftd/test/firepower-management.log2
index cf204804bb..e362bb7f2d 100644
--- a/x-pack/filebeat/module/cisco/ftd/test/firepower-management.log
+++ b/x-pack/filebeat/module/cisco/ftd/test/firepower-management.log
@@ -31,4 +31,4 @@
<14>Aug 14 2019 14:02:19 mojo_server.pl: siem-management: admin@10.0.255.31, System > Configuration > Configuration, Page View
<14>Aug 14 2019 14:02:31 platformSettingEdit.cgi: siem-management: admin@10.0.255.31, System > Configuration > Configuration > /platinum/platformSettingEdit.cgi?type=AuditLog, Page View
<14>Aug 14 2019 14:02:38 platformSettingEdit.cgi: siem-management: admin@10.0.255.31, Devices > Platform Settings > Local System Configuration, Save Local System Configuration
-<14.2>Aug 14 2019 14:02:38 platformSettingEdit.cgi: siem-management: admin@10.0.255.31, Devices > Platform Settings > Audit Log Settings > Modified: Send Audit Log to Syslog enabled > Disabled
+<14>Aug 14 2019 14:02:38 platformSettingEdit.cgi: siem-management: admin@10.0.255.31, Devices > Platform Settings > Audit Log Settings > Modified: Send Audit Log to Syslog enabled > Disabled
(cherry picked from commit ea65707)
efd6
added a commit
that referenced
this pull request
Jun 23, 2022
With this change one of the existing test cases fails because of a non-
standard syslog pri value.
<14.2>Aug 14 2019 14:02:38 platformSettingEdit.cgi: siem-management: admin@10.0.255.31, Devices > Platform Settings > Audit Log Settings > Modified: Send Audit Log to Syslog enabled > Disabled
This format does not appear anywhere that I can find in the Cisco
documentation and I cannot find another similar example.
The original grok pattern definition was
<%{NONNEGINT:syslog.facility:int}(?:.%{NONNEGINT:syslog.priority:int})?>
which gives a result for this input that does not make sense since pri > facility
according to the specs. Perhaps facility.severity? But this is inconsistent with
the remaining log lines and also with the semantics of the log line here. The
alternative interpretations are:
- 14.2 → facility 14 severity 2 → "log alert", "Critical"
- 14 → facility 1 severity 6 → "user-level messages", "Informational"
Note also that the pattern definition uses an unescaped dot rather than
a dot literal which is surprising.
My suspicion is that it is a corrupted input and I have edited it to prevent
the failure. Since the input is line terminated by "\00x0a\00x00" it shows
us as a binary file in the diff, so the change is shown here:
diff --git a/x-pack/filebeat/module/cisco/ftd/test/firepower-management.log2 b/x-pack/filebeat/module/cisco/ftd/test/firepower-management.log2
index cf204804bb..e362bb7f2d 100644
--- a/x-pack/filebeat/module/cisco/ftd/test/firepower-management.log
+++ b/x-pack/filebeat/module/cisco/ftd/test/firepower-management.log
@@ -31,4 +31,4 @@
<14>Aug 14 2019 14:02:19 mojo_server.pl: siem-management: admin@10.0.255.31, System > Configuration > Configuration, Page View
<14>Aug 14 2019 14:02:31 platformSettingEdit.cgi: siem-management: admin@10.0.255.31, System > Configuration > Configuration > /platinum/platformSettingEdit.cgi?type=AuditLog, Page View
<14>Aug 14 2019 14:02:38 platformSettingEdit.cgi: siem-management: admin@10.0.255.31, Devices > Platform Settings > Local System Configuration, Save Local System Configuration
-<14.2>Aug 14 2019 14:02:38 platformSettingEdit.cgi: siem-management: admin@10.0.255.31, Devices > Platform Settings > Audit Log Settings > Modified: Send Audit Log to Syslog enabled > Disabled
+<14>Aug 14 2019 14:02:38 platformSettingEdit.cgi: siem-management: admin@10.0.255.31, Devices > Platform Settings > Audit Log Settings > Modified: Send Audit Log to Syslog enabled > Disabled
(cherry picked from commit ea65707)
Co-authored-by: Dan Kortschak <90160302+efd6@users.noreply.github.com>
efd6
added a commit
that referenced
this pull request
Jun 23, 2022
… handling (#32062) * x-filebeat/modules/cisco: fix syslog priority handling (#32025) With this change one of the existing test cases fails because of a non- standard syslog pri value. <14.2>Aug 14 2019 14:02:38 platformSettingEdit.cgi: siem-management: admin@10.0.255.31, Devices > Platform Settings > Audit Log Settings > Modified: Send Audit Log to Syslog enabled > Disabled This format does not appear anywhere that I can find in the Cisco documentation and I cannot find another similar example. The original grok pattern definition was <%{NONNEGINT:syslog.facility:int}(?:.%{NONNEGINT:syslog.priority:int})?> which gives a result for this input that does not make sense since pri > facility according to the specs. Perhaps facility.severity? But this is inconsistent with the remaining log lines and also with the semantics of the log line here. The alternative interpretations are: - 14.2 → facility 14 severity 2 → "log alert", "Critical" - 14 → facility 1 severity 6 → "user-level messages", "Informational" Note also that the pattern definition uses an unescaped dot rather than a dot literal which is surprising. My suspicion is that it is a corrupted input and I have edited it to prevent the failure. Since the input is line terminated by "\00x0a\00x00" it shows us as a binary file in the diff, so the change is shown here: diff --git a/x-pack/filebeat/module/cisco/ftd/test/firepower-management.log2 b/x-pack/filebeat/module/cisco/ftd/test/firepower-management.log2 index cf204804bb..e362bb7f2d 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/firepower-management.log +++ b/x-pack/filebeat/module/cisco/ftd/test/firepower-management.log @@ -31,4 +31,4 @@ <14>Aug 14 2019 14:02:19 mojo_server.pl: siem-management: admin@10.0.255.31, System > Configuration > Configuration, Page View <14>Aug 14 2019 14:02:31 platformSettingEdit.cgi: siem-management: admin@10.0.255.31, System > Configuration > Configuration > /platinum/platformSettingEdit.cgi?type=AuditLog, Page View <14>Aug 14 2019 14:02:38 platformSettingEdit.cgi: siem-management: admin@10.0.255.31, Devices > Platform Settings > Local System Configuration, Save Local System Configuration -<14.2>Aug 14 2019 14:02:38 platformSettingEdit.cgi: siem-management: admin@10.0.255.31, Devices > Platform Settings > Audit Log Settings > Modified: Send Audit Log to Syslog enabled > Disabled +<14>Aug 14 2019 14:02:38 platformSettingEdit.cgi: siem-management: admin@10.0.255.31, Devices > Platform Settings > Audit Log Settings > Modified: Send Audit Log to Syslog enabled > Disabled (cherry picked from commit ea65707) # Conflicts: # x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json * resolve conflicts Co-authored-by: Dan Kortschak <90160302+efd6@users.noreply.github.com> Co-authored-by: Dan Kortschak <dan.kortschak@elastic.co>
leweafan
pushed a commit
to leweafan/beats
that referenced
this pull request
Apr 28, 2023
…riority handling (elastic#32062) * x-filebeat/modules/cisco: fix syslog priority handling (elastic#32025) With this change one of the existing test cases fails because of a non- standard syslog pri value. <14.2>Aug 14 2019 14:02:38 platformSettingEdit.cgi: siem-management: admin@10.0.255.31, Devices > Platform Settings > Audit Log Settings > Modified: Send Audit Log to Syslog enabled > Disabled This format does not appear anywhere that I can find in the Cisco documentation and I cannot find another similar example. The original grok pattern definition was <%{NONNEGINT:syslog.facility:int}(?:.%{NONNEGINT:syslog.priority:int})?> which gives a result for this input that does not make sense since pri > facility according to the specs. Perhaps facility.severity? But this is inconsistent with the remaining log lines and also with the semantics of the log line here. The alternative interpretations are: - 14.2 → facility 14 severity 2 → "log alert", "Critical" - 14 → facility 1 severity 6 → "user-level messages", "Informational" Note also that the pattern definition uses an unescaped dot rather than a dot literal which is surprising. My suspicion is that it is a corrupted input and I have edited it to prevent the failure. Since the input is line terminated by "\00x0a\00x00" it shows us as a binary file in the diff, so the change is shown here: diff --git a/x-pack/filebeat/module/cisco/ftd/test/firepower-management.log2 b/x-pack/filebeat/module/cisco/ftd/test/firepower-management.log2 index cf204804bb..e362bb7f2d 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/firepower-management.log +++ b/x-pack/filebeat/module/cisco/ftd/test/firepower-management.log @@ -31,4 +31,4 @@ <14>Aug 14 2019 14:02:19 mojo_server.pl: siem-management: admin@10.0.255.31, System > Configuration > Configuration, Page View <14>Aug 14 2019 14:02:31 platformSettingEdit.cgi: siem-management: admin@10.0.255.31, System > Configuration > Configuration > /platinum/platformSettingEdit.cgi?type=AuditLog, Page View <14>Aug 14 2019 14:02:38 platformSettingEdit.cgi: siem-management: admin@10.0.255.31, Devices > Platform Settings > Local System Configuration, Save Local System Configuration -<14.2>Aug 14 2019 14:02:38 platformSettingEdit.cgi: siem-management: admin@10.0.255.31, Devices > Platform Settings > Audit Log Settings > Modified: Send Audit Log to Syslog enabled > Disabled +<14>Aug 14 2019 14:02:38 platformSettingEdit.cgi: siem-management: admin@10.0.255.31, Devices > Platform Settings > Audit Log Settings > Modified: Send Audit Log to Syslog enabled > Disabled (cherry picked from commit ea65707) # Conflicts: # x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json * resolve conflicts Co-authored-by: Dan Kortschak <90160302+efd6@users.noreply.github.com> Co-authored-by: Dan Kortschak <dan.kortschak@elastic.co>
chrisberkhout
pushed a commit
that referenced
this pull request
Jun 1, 2023
With this change one of the existing test cases fails because of a non-
standard syslog pri value.
<14.2>Aug 14 2019 14:02:38 platformSettingEdit.cgi: siem-management: admin@10.0.255.31, Devices > Platform Settings > Audit Log Settings > Modified: Send Audit Log to Syslog enabled > Disabled
This format does not appear anywhere that I can find in the Cisco
documentation and I cannot find another similar example.
The original grok pattern definition was
<%{NONNEGINT:syslog.facility:int}(?:.%{NONNEGINT:syslog.priority:int})?>
which gives a result for this input that does not make sense since pri > facility
according to the specs. Perhaps facility.severity? But this is inconsistent with
the remaining log lines and also with the semantics of the log line here. The
alternative interpretations are:
- 14.2 → facility 14 severity 2 → "log alert", "Critical"
- 14 → facility 1 severity 6 → "user-level messages", "Informational"
Note also that the pattern definition uses an unescaped dot rather than
a dot literal which is surprising.
My suspicion is that it is a corrupted input and I have edited it to prevent
the failure. Since the input is line terminated by "\00x0a\00x00" it shows
us as a binary file in the diff, so the change is shown here:
diff --git a/x-pack/filebeat/module/cisco/ftd/test/firepower-management.log2 b/x-pack/filebeat/module/cisco/ftd/test/firepower-management.log2
index cf204804bb..e362bb7f2d 100644
--- a/x-pack/filebeat/module/cisco/ftd/test/firepower-management.log
+++ b/x-pack/filebeat/module/cisco/ftd/test/firepower-management.log
@@ -31,4 +31,4 @@
<14>Aug 14 2019 14:02:19 mojo_server.pl: siem-management: admin@10.0.255.31, System > Configuration > Configuration, Page View
<14>Aug 14 2019 14:02:31 platformSettingEdit.cgi: siem-management: admin@10.0.255.31, System > Configuration > Configuration > /platinum/platformSettingEdit.cgi?type=AuditLog, Page View
<14>Aug 14 2019 14:02:38 platformSettingEdit.cgi: siem-management: admin@10.0.255.31, Devices > Platform Settings > Local System Configuration, Save Local System Configuration
-<14.2>Aug 14 2019 14:02:38 platformSettingEdit.cgi: siem-management: admin@10.0.255.31, Devices > Platform Settings > Audit Log Settings > Modified: Send Audit Log to Syslog enabled > Disabled
+<14>Aug 14 2019 14:02:38 platformSettingEdit.cgi: siem-management: admin@10.0.255.31, Devices > Platform Settings > Audit Log Settings > Modified: Send Audit Log to Syslog enabled > Disabled
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What does this PR do?
This fixes the mapping of syslog priority and its derived values and their extraction.
Why is it important?
The mapping is currently incorrect and syslog written facility values are wrong.
Checklist
I have commented my code, particularly in hard-to-understand areasI have made corresponding changes to the documentationI have made corresponding change to the default configuration filesCHANGELOG.next.asciidocorCHANGELOG-developer.next.asciidoc.Author's Checklist
How to test this PR locally
Related issues
syslog.facilityintegrations#3507Use cases
Screenshots
Logs