[Infoblox NIOS] Handle the parsing of IPv6 address

packages/infoblox_nios/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.29.1"
+  changes:
+    - description: Handle the parsing of octal encoded IPv6 address.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/13947
 - version: "1.29.0"
   changes:
     - description: Support AD authentication failure log messages.

packages/infoblox_nios/data_stream/log/_dev/test/pipeline/test-audit.log

@@ -24,3 +24,5 @@
 <29>Mar 18 13:40:05 10.0.0.1 httpd: 2022-03-29 18:30:58.656Z [admin]: Created Ruleset
 <11>Feb 26 16:05:03  mygridmaster.mydom.tld 81.2.69.144 httpd: my-dc.mysubdom.mydom.tld: AD authentication for user myadminuser failed
 <46>Aug 24 19:50:09 10.0.0.1 -- MARK --
+<11>Apr 4 06:17:22  myhost.mydom.tld 81.2.69.144 httpd: 2025-04-22 06:17:22.110Z [adminUSER]: Login_Allowed - - to=AdminConnector ip=2a02\072cf40\072\072 auth=AD group=MySecureADGRroup apparently_via=GUI
+<11>Apr 4 06:17:22 myhost.mydom.tld 81.2.69.144 httpd: 2025-04-22 06:17:22.110Z [adminUSER]: Login_Allowed - - to=AdminConnector ip=2a02\143f40\072\072 auth=AD group=MySecureADGRroup apparently_via=GUI

packages/infoblox_nios/data_stream/log/_dev/test/pipeline/test-audit.log-expected.json

@@ -1259,6 +1259,128 @@
             "tags": [
                 "preserve_original_event"
             ]
+        },
+        {
+            "@timestamp": "2025-04-22T06:17:22.110Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "action": "login_allowed",
+                "category": [
+                    "authentication"
+                ],
+                "created": "2025-04-04T06:17:22.000Z",
+                "original": "<11>Apr 4 06:17:22  myhost.mydom.tld 81.2.69.144 httpd: 2025-04-22 06:17:22.110Z [adminUSER]: Login_Allowed - - to=AdminConnector ip=2a02\\072cf40\\072\\072 auth=AD group=MySecureADGRroup apparently_via=GUI",
+                "outcome": "success",
+                "type": [
+                    "start"
+                ]
+            },
+            "host": {
+                "domain": "myhost.mydom.tld",
+                "ip": [
+                    "81.2.69.144"
+                ]
+            },
+            "infoblox_nios": {
+                "log": {
+                    "audit": {
+                        "apparently_via": "GUI",
+                        "auth": "AD",
+                        "group": "MySecureADGRroup",
+                        "ip": "2a02:cf40::",
+                        "to": "AdminConnector"
+                    },
+                    "service_name": "httpd",
+                    "type": "AUDIT"
+                }
+            },
+            "log": {
+                "syslog": {
+                    "priority": 11
+                }
+            },
+            "message": "2025-04-22 06:17:22.110Z [adminUSER]: Login_Allowed - - to=AdminConnector ip=2a02\\072cf40\\072\\072 auth=AD group=MySecureADGRroup apparently_via=GUI",
+            "related": {
+                "hosts": [
+                    "myhost.mydom.tld"
+                ],
+                "ip": [
+                    "2a02:cf40::",
+                    "81.2.69.144"
+                ],
+                "user": [
+                    "adminUSER"
+                ]
+            },
+            "tags": [
+                "preserve_original_event"
+            ],
+            "user": {
+                "name": "adminUSER"
+            }
+        },
+        {
+            "@timestamp": "2025-04-22T06:17:22.110Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "action": "login_allowed",
+                "category": [
+                    "authentication"
+                ],
+                "created": "2025-04-04T06:17:22.000Z",
+                "original": "<11>Apr 4 06:17:22 myhost.mydom.tld 81.2.69.144 httpd: 2025-04-22 06:17:22.110Z [adminUSER]: Login_Allowed - - to=AdminConnector ip=2a02\\143f40\\072\\072 auth=AD group=MySecureADGRroup apparently_via=GUI",
+                "outcome": "success",
+                "type": [
+                    "start"
+                ]
+            },
+            "host": {
+                "domain": "myhost.mydom.tld",
+                "ip": [
+                    "81.2.69.144"
+                ]
+            },
+            "infoblox_nios": {
+                "log": {
+                    "audit": {
+                        "apparently_via": "GUI",
+                        "auth": "AD",
+                        "group": "MySecureADGRroup",
+                        "ip": "2a02:cf40::",
+                        "to": "AdminConnector"
+                    },
+                    "service_name": "httpd",
+                    "type": "AUDIT"
+                }
+            },
+            "log": {
+                "syslog": {
+                    "priority": 11
+                }
+            },
+            "message": "2025-04-22 06:17:22.110Z [adminUSER]: Login_Allowed - - to=AdminConnector ip=2a02\\143f40\\072\\072 auth=AD group=MySecureADGRroup apparently_via=GUI",
+            "related": {
+                "hosts": [
+                    "myhost.mydom.tld"
+                ],
+                "ip": [
+                    "2a02:cf40::",
+                    "81.2.69.144"
+                ],
+                "user": [
+                    "adminUSER"
+                ]
+            },
+            "tags": [
+                "preserve_original_event"
+            ],
+            "user": {
+                "name": "adminUSER"
+            }
         }
     ]
 }

packages/infoblox_nios/data_stream/log/elasticsearch/ingest_pipeline/pipeline_audit.yml

@@ -111,6 +111,35 @@ processors:
           }
           ctx.infoblox_nios.log.audit[m.getKey()] = value;
         }
+  - script:
+      description: Decode octal escape sequences in IP address.
+      lang: painless
+      if: ctx.infoblox_nios?.log?.audit?.ip != null
+      source: >
+        String s = ctx.infoblox_nios.log.audit.ip;
+        StringBuilder sb = new StringBuilder();
+        for (int i = 0; i < s.length();) {
+            if (s.charAt(i) == (char)'\\') {
+                sb.append(':');
+                int b = Integer.parseInt(s.substring(i+1,i+4), 8);
+                if (b != (char)':') {
+                    sb.append((char)b);
+                }
+                i+=4;
+                continue;
+            }
+            sb.append(s.charAt(i));
+            i++;
+        }
+        ctx.infoblox_nios.log.audit.ip = sb.toString();
+      on_failure:
+        - append:
+            field: error.message
+            value: >-
+              Processor '{{{ _ingest.on_failure_processor_type }}}'
+              {{{#_ingest.on_failure_processor_tag}}}with tag '{{{ _ingest.on_failure_processor_tag }}}'
+              {{{/_ingest.on_failure_processor_tag}}}in pipeline {{{_ingest.pipeline}}}
+              failed with message '{{{ _ingest.on_failure_message }}}'
   - convert:
       field: infoblox_nios.log.audit.ip
       if: ctx.infoblox_nios?.log?.audit?.ip != null && ctx.infoblox_nios.log.audit.ip != ''

packages/infoblox_nios/manifest.yml

@@ -1,7 +1,7 @@
 format_version: "3.0.3"
 name: infoblox_nios
 title: Infoblox NIOS
-version: "1.29.0"
+version: "1.29.1"
 description: Collect logs from Infoblox NIOS with Elastic Agent.
 type: integration
 categories: