Skip to content

[8.3](backport #32025) x-filebeat/modules/cisco: fix syslog priority handling#32063

Merged
efd6 merged 1 commit into8.3from
mergify/bp/8.3/pr-32025
Jun 23, 2022
Merged

[8.3](backport #32025) x-filebeat/modules/cisco: fix syslog priority handling#32063
efd6 merged 1 commit into8.3from
mergify/bp/8.3/pr-32025

Conversation

@mergify
Copy link
Contributor

@mergify mergify bot commented Jun 23, 2022
edited by zube bot
Loading

This is an automatic backport of pull request #32025 done by Mergify.

Mergify commands and options

More conditions and actions can be found in the documentation.

You can also trigger Mergify actions by commenting on this pull request:

  • @Mergifyio refresh will re-evaluate the rules
  • @Mergifyio rebase will rebase this PR on its base branch
  • @Mergifyio update will merge the base branch into this PR
  • @Mergifyio backport <destination> will backport this PR on <destination> branch

Additionally, on Mergify dashboard you can:

  • look at your merge queues
  • generate the Mergify configuration with the config editor.

Finally, you can contact us on https://mergify.com

@efd6 @mergify
x-filebeat/modules/cisco: fix syslog priority handling (#32025)
a2390a7 
With this change one of the existing test cases fails because of a non-
standard syslog pri value.

 <14.2>Aug 14 2019 14:02:38 platformSettingEdit.cgi: siem-management: admin@10.0.255.31, Devices > Platform Settings > Audit Log Settings >  Modified: Send Audit Log to Syslog enabled > Disabled

This format does not appear anywhere that I can find in the Cisco
documentation and I cannot find another similar example.

The original grok pattern definition was

 <%{NONNEGINT:syslog.facility:int}(?:.%{NONNEGINT:syslog.priority:int})?>

which gives a result for this input that does not make sense since pri > facility
according to the specs. Perhaps facility.severity? But this is inconsistent with
the remaining log lines and also with the semantics of the log line here. The
alternative interpretations are:

- 14.2 → facility 14 severity 2 → "log alert", "Critical"
- 14 → facility 1 severity 6 → "user-level messages", "Informational"

Note also that the pattern definition uses an unescaped dot rather than
a dot literal which is surprising.

My suspicion is that it is a corrupted input and I have edited it to prevent
the failure. Since the input is line terminated by "\00x0a\00x00" it shows
us as a binary file in the diff, so the change is shown here:

diff --git a/x-pack/filebeat/module/cisco/ftd/test/firepower-management.log2 b/x-pack/filebeat/module/cisco/ftd/test/firepower-management.log2
index cf204804bb..e362bb7f2d 100644
--- a/x-pack/filebeat/module/cisco/ftd/test/firepower-management.log
+++ b/x-pack/filebeat/module/cisco/ftd/test/firepower-management.log
@@ -31,4 +31,4 @@
 <14>Aug 14 2019 14:02:19 mojo_server.pl: siem-management: admin@10.0.255.31, System > Configuration > Configuration, Page View
 <14>Aug 14 2019 14:02:31 platformSettingEdit.cgi: siem-management: admin@10.0.255.31, System > Configuration > Configuration > /platinum/platformSettingEdit.cgi?type=AuditLog, Page View
 <14>Aug 14 2019 14:02:38 platformSettingEdit.cgi: siem-management: admin@10.0.255.31, Devices > Platform Settings > Local System Configuration, Save Local System Configuration
-<14.2>Aug 14 2019 14:02:38 platformSettingEdit.cgi: siem-management: admin@10.0.255.31, Devices > Platform Settings > Audit Log Settings >  Modified: Send Audit Log to Syslog enabled > Disabled
+<14>Aug 14 2019 14:02:38 platformSettingEdit.cgi: siem-management: admin@10.0.255.31, Devices > Platform Settings > Audit Log Settings >  Modified: Send Audit Log to Syslog enabled > Disabled

(cherry picked from commit ea65707)
@mergify mergify bot requested a review from a team as a code owner June 23, 2022 03:07
@mergify mergify bot added the backport label Jun 23, 2022
@mergify mergify bot assigned efd6 Jun 23, 2022
@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Jun 23, 2022
@botelastic
Copy link

botelastic bot commented Jun 23, 2022

This pull request doesn't have a Team:<team> label.

@elasticmachine
Copy link
Contributor

elasticmachine commented Jun 23, 2022

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS
Pipeline View Test View Changes Artifacts preview preview

Expand to view the summary

Build stats

  • Start Time: 2022-06-23T03:07:38.378+0000

  • Duration: 81 min 49 sec

Test stats 🧪

Test Results
Failed 0
Passed 2120
Skipped 166
Total 2286

💚 Flaky test report

Tests succeeded.

🤖 GitHub comments

To re-run your PR in the CI, just comment with:

  • /test : Re-trigger the build.

  • /package : Generate the packages and run the E2E tests.

  • /beats-tester : Run the installation tests with beats-tester.

  • run elasticsearch-ci/docs : Re-trigger the docs validation. (use unformatted text in the comment!)

@efd6 efd6 merged commit 1de3ef7 into 8.3 Jun 23, 2022
@mergify mergify bot deleted the mergify/bp/8.3/pr-32025 branch June 23, 2022 04:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@efd6 efd6

Labels

backport needs_team Indicates that the issue/PR needs a Team:* label

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@elasticmachine @efd6