Skip to content

Commit

Permalink
#25575: Fix checkpoint.action_reason when its a string, not a Long (#…
Browse files Browse the repository at this point in the history
  • Loading branch information
legoguy1000 authored May 10, 2021
1 parent afbdaa9 commit f432b92
Show file tree
Hide file tree
Showing 7 changed files with 79 additions and 1 deletion.
1 change: 1 addition & 0 deletions CHANGELOG.next.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -396,6 +396,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
- Fix s3 input when there is a blank line in the log file. {pull}25357[25357]
- Fix Nginx module pipelines. {issue}19088[19088] {pull}24699[24699]
- Remove space from field `sophos.xg.trans_src_ ip`. {issue}25154[25154] {pull}25250[25250]
- Fix `checkpoint.action_reason` when its a string, not a Long. {issue}25575[25575] {pull}25609[25609]

*Heartbeat*

Expand Down
10 changes: 10 additions & 0 deletions filebeat/docs/fields.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -20117,6 +20117,16 @@ type: integer

--

*`checkpoint.action_reason_msg`*::
+
--
Connection drop reason message.


type: keyword

--

*`checkpoint.c_bytes`*::
+
--
Expand Down
2 changes: 1 addition & 1 deletion x-pack/filebeat/module/checkpoint/fields.go

Large diffs are not rendered by default.

6 changes: 6 additions & 0 deletions x-pack/filebeat/module/checkpoint/firewall/_meta/fields.yml
Original file line number Diff line number Diff line change
Expand Up @@ -1949,6 +1949,12 @@
description: >
Connection drop reason.
- name: action_reason_msg
type: keyword
overwrite: true
description: >
Connection drop reason message.
- name: c_bytes
type: integer
overwrite: true
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -741,6 +741,11 @@ processors:
source: "ctx.network.packets = ctx.source.packets + ctx.destination.packets"
if: ctx?.source?.packets != null && ctx?.destination?.packets != null && ctx?.network?.packets == null
ignore_failure: true
- rename:
field: checkpoint.action_reason
target_field: checkpoint.action_reason_msg
if: ctx.checkpoint?.action_reason != null && ctx.checkpoint?.action_reason.contains(" ")
ignore_missing: true
- geoip:
field: source.ip
target_field: source.geo
Expand Down
Original file line number Diff line number Diff line change
@@ -1 +1,2 @@
<134>1 2020-03-30T07:20:35Z gw-da58d3 CheckPoint 7776 - [action:"Accept"; flags:"444676"; ifdir:"outbound"; ifname:"eth0"; logid:"0"; loguid:"{0x5e819dc3,0x0,0x353707c7,0xee78a1dc}"; origin:"192.168.1.100"; originsicname:"cn=cp_mgmt,o=gw-da58d3..tmn8s8"; sequencenum:"1"; time:"1594646954"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1585502566;policy_name=Standard\]"; dst:"192.168.1.153"; inzone:"Local"; layer_name:"Network"; layer_uuid:"63b7fe60-76d2-4287-bca5-21af87337b0a"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1fde807b-6300-4b1a-914f-f1c1f3e2e7d2"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43103"; service:"514"; service_id:"syslog"; src:"192.168.1.100"]
<134>1 2021-05-05T12:27:09Z cp-m CheckPoint 1231 - [action:"Drop"; flags:"278528"; ifdir:"inbound"; ifname:"bond1.3999"; loguid:"{0x60928f1d,0x8,0x40de101f,0xfcdbb197}"; origin:"127.0.0.1"; originsicname:"CN=CP,O=cp.com.9jjkfo"; sequencenum:"62"; time:"1620217629"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={F6212FB3-54CE-6344-9164-B224119E2B92};mgmt=cp-m;date=1620031791;policy_name=CP-Cluster]"; action_reason:"Dropped by multiportal infrastructure"; dst:"1.1.1.1"; product:"VPN & FireWall"; proto:"6"; s_port:"52780"; service:"80"; src:"1.1.1.1"]
Original file line number Diff line number Diff line change
Expand Up @@ -52,5 +52,60 @@
"checkpoint-firewall",
"forwarded"
]
},
{
"@timestamp": "2021-05-05T12:27:09.000Z",
"checkpoint.action_reason_msg": "Dropped by multiportal infrastructure",
"client.ip": "1.1.1.1",
"client.port": 52780,
"destination.as.number": 13335,
"destination.as.organization.name": "Cloudflare, Inc.",
"destination.geo.continent_name": "Oceania",
"destination.geo.country_iso_code": "AU",
"destination.geo.country_name": "Australia",
"destination.geo.location.lat": -33.494,
"destination.geo.location.lon": 143.2104,
"destination.ip": "1.1.1.1",
"destination.port": 80,
"event.action": "Drop",
"event.category": [
"network"
],
"event.dataset": "checkpoint.firewall",
"event.id": "{0x60928f1d,0x8,0x40de101f,0xfcdbb197}",
"event.kind": "event",
"event.module": "checkpoint",
"event.sequence": 62,
"event.timezone": "-02:00",
"fileset.name": "firewall",
"input.type": "log",
"log.offset": 797,
"network.direction": "inbound",
"network.iana_number": "6",
"observer.ingress.interface.name": "bond1.3999",
"observer.name": "127.0.0.1",
"observer.product": "VPN & FireWall",
"observer.type": "firewall",
"observer.vendor": "Checkpoint",
"related.ip": [
"1.1.1.1",
"1.1.1.1"
],
"server.ip": "1.1.1.1",
"server.port": 80,
"service.type": "checkpoint",
"source.as.number": 13335,
"source.as.organization.name": "Cloudflare, Inc.",
"source.geo.continent_name": "Oceania",
"source.geo.country_iso_code": "AU",
"source.geo.country_name": "Australia",
"source.geo.location.lat": -33.494,
"source.geo.location.lon": 143.2104,
"source.ip": "1.1.1.1",
"source.port": 52780,
"tags": [
"checkpoint-firewall",
"forwarded"
]
}
]

0 comments on commit f432b92

Please sign in to comment.