Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Filebeat - Cisco ASA Module rejected messages #14034

Closed
nicpalmer opened this issue Oct 14, 2019 · 2 comments · Fixed by #14035 or #18376
Closed

Filebeat - Cisco ASA Module rejected messages #14034

nicpalmer opened this issue Oct 14, 2019 · 2 comments · Fixed by #14035 or #18376
Assignees
@adriansr

Comments

@nicpalmer
Copy link

nicpalmer commented Oct 14, 2019
edited
Loading

Elasticsearch is refusing to index certain documents that ASA's may generate.

elasticsearch___Could not index event to Elasticsearch. status: 400, action: ["index", {:_id=>nil, :_index=>"filebeat-7.3.2-2019.10.04", :_type=>"_doc", :routing=>nil, :pipeline=>"filebeat-7.3.2-cisco-asa-pipeline"}, #<LogStash::Event:0x5134782c>], response: {"index"=>{"_index"=>"filebeat-7.3.2-2019.10.04", "_type"=>"_doc", "_id"=>"aiksl20BYcEPgcTtSR2M", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse field [source.ip] of type [ip] in document with id 'aiksl20BYcEPgcTtSR2M'. Preview of field's value: 'ABRDH-BR01-JL01-V304-70.80.42.149'", "caused_by"=>{"type"=>"illegal_argument_exception", "reason"=>"'ABRDH-BR01-JL01-V304-70.80.42.149' is not an IP string literal."}}}}

The raw message is here:

<165>Oct 04 2019 15:27:55: %ASA-5-106100: access-list AL-DMZ-LB-IN denied tcp LB-DMZ/ABRDH-BR01-JL01-V304-70.80.42.149(27218) -> OUTSIDE/195.122.12.242(53) hit-cnt 1 first hit [0x16847359, 0x00000000]

The reason for this happening I believe is due to the parsing rule for 106100.

- dissect:
     if: "ctx._temp_.cisco.message_id == '106100'"
     field: "message"
     pattern: "access-list %{_temp_.cisco.list_id} %{event.outcome} %{network.transport} %{_temp_.cisco.source_interface}/%{source.ip}(%{source.port}) -> %{_temp_.cisco.destination_interface}/%{destination.ip}(%{destination.port}) %{}"

I wonder if we can add an option to capture the name field to the dissect message?
adriansr added a commit to adriansr/beats that referenced this issue Oct 14, 2019
@adriansr
Fix Cisco ASA and FTD parsing of unexpected domain names
eb2f86c 
This patch makes the Cisco ASA and FTD ingest pipeline handle the case
where a domain name is found for a field where an IP is expected
according to the documentation.

To do so it follows ECS guidelines, setting .address to be the raw value
and .ip or .domain from it, depending if it's a valid IP address or not.

Fixes elastic#14034
@adriansr adriansr mentioned this issue Oct 14, 2019
Merged
adriansr added a commit that referenced this issue Oct 14, 2019
@adriansr
Fix Cisco ASA and FTD parsing of unexpected domain names (#14035)
a678bc9 
This patch makes the Cisco ASA and FTD ingest pipeline handle the case
where a domain name is found for a field where an IP is expected
according to the documentation.

To do so it follows ECS guidelines, setting .address to be the raw value
and .ip or .domain from it, depending if it's a valid IP address or not.

Fixes #14034
adriansr added a commit to adriansr/beats that referenced this issue Oct 14, 2019
@adriansr
Fix Cisco ASA and FTD parsing of unexpected domain names (elastic#14035)
6571397 
This patch makes the Cisco ASA and FTD ingest pipeline handle the case
where a domain name is found for a field where an IP is expected
according to the documentation.

To do so it follows ECS guidelines, setting .address to be the raw value
and .ip or .domain from it, depending if it's a valid IP address or not.

Fixes elastic#14034

(cherry picked from commit a678bc9)
@adriansr adriansr mentioned this issue Oct 14, 2019
Merged
adriansr added a commit that referenced this issue Oct 15, 2019
@adriansr
Cherry-pick #14035 to 7.4: Fix Cisco ASA and FTD parsing of unexpecte…
9bc4dcd 
…d domain names (#14040)

This patch makes the Cisco ASA and FTD ingest pipeline handle the case
where a domain name is found for a field where an IP is expected
according to the documentation.

To do so it follows ECS guidelines, setting .address to be the raw value
and .ip or .domain from it, depending if it's a valid IP address or not.

Fixes #14034

(cherry picked from commit a678bc9)
@HaZet1968
Copy link

Same here for field [source.nat.ip]. Filebeat Version 7.5.2

[2020-01-29T10:03:33,635][WARN ][logstash.outputs.elasticsearch][beats] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"filebeat-7.5.2-2020.01.29", :routing=>nil, :_type=>"_doc", :pipeline=>"filebeat-7.5.2-cisco-asa-asa-ftd-pipeline"}, #<LogStash::Event:0x479fcb69>], :response=>{"index"=>{"_index"=>"filebeat-7.5.2-2020.01.29", "_type"=>"_doc", "_id"=>"RreK8G8BWYzewJIFnCTn", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse field [source.nat.ip] of type [ip] in document with id 'RreK8G8BWYzewJIFnCTn'. Preview of field's value: 'SDC'", "caused_by"=>{"type"=>"illegal_argument_exception", "reason"=>"'SDC' is not an IP string literal."}}}}}

@adriansr adriansr reopened this Jan 29, 2020
@adriansr adriansr self-assigned this Jan 29, 2020
@HaZet1968
Copy link

Anything new here? Still waiting for a fix. Currently using Version 7.6.2

@adriansr adriansr mentioned this issue May 8, 2020
Merged
6 tasks
@immon immon mentioned this issue May 11, 2020
Closed
This was referenced May 14, 2020
Merged
Merged
Merged
leweafan pushed a commit to leweafan/beats that referenced this issue Apr 28, 2023
@adriansr
Cherry-pick elastic#14035 to 7.4: Fix Cisco ASA and FTD parsing of un…
883bf27 
…expected domain names (elastic#14040)

This patch makes the Cisco ASA and FTD ingest pipeline handle the case
where a domain name is found for a field where an IP is expected
according to the documentation.

To do so it follows ECS guidelines, setting .address to be the raw value
and .ip or .domain from it, depending if it's a valid IP address or not.

Fixes elastic#14034

(cherry picked from commit 9f20d7c)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@adriansr adriansr

Labels
None yet
Projects
None yet
Milestone
No milestone
3 participants
@nicpalmer @adriansr @HaZet1968