Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Filebeat - Cisco ASA Module rejected messages #14034

Closed
nicpalmer opened this issue Oct 14, 2019 · 2 comments · Fixed by #14035 or #18376
Closed

Filebeat - Cisco ASA Module rejected messages #14034

nicpalmer opened this issue Oct 14, 2019 · 2 comments · Fixed by #14035 or #18376
Assignees

Comments

@nicpalmer
Copy link

nicpalmer commented Oct 14, 2019

Elasticsearch is refusing to index certain documents that ASA's may generate.

elasticsearch___Could not index event to Elasticsearch. status: 400, action: ["index", {:_id=>nil, :_index=>"filebeat-7.3.2-2019.10.04", :_type=>"_doc", :routing=>nil, :pipeline=>"filebeat-7.3.2-cisco-asa-pipeline"}, #<LogStash::Event:0x5134782c>], response: {"index"=>{"_index"=>"filebeat-7.3.2-2019.10.04", "_type"=>"_doc", "_id"=>"aiksl20BYcEPgcTtSR2M", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse field [source.ip] of type [ip] in document with id 'aiksl20BYcEPgcTtSR2M'. Preview of field's value: 'ABRDH-BR01-JL01-V304-70.80.42.149'", "caused_by"=>{"type"=>"illegal_argument_exception", "reason"=>"'ABRDH-BR01-JL01-V304-70.80.42.149' is not an IP string literal."}}}}

The raw message is here:

<165>Oct 04 2019 15:27:55: %ASA-5-106100: access-list AL-DMZ-LB-IN denied tcp LB-DMZ/ABRDH-BR01-JL01-V304-70.80.42.149(27218) -> OUTSIDE/195.122.12.242(53) hit-cnt 1 first hit [0x16847359, 0x00000000]

The reason for this happening I believe is due to the parsing rule for 106100.

- dissect:
     if: "ctx._temp_.cisco.message_id == '106100'"
     field: "message"
     pattern: "access-list %{_temp_.cisco.list_id} %{event.outcome} %{network.transport} %{_temp_.cisco.source_interface}/%{source.ip}(%{source.port}) -> %{_temp_.cisco.destination_interface}/%{destination.ip}(%{destination.port}) %{}"

I wonder if we can add an option to capture the name field to the dissect message?

adriansr added a commit to adriansr/beats that referenced this issue Oct 14, 2019
This patch makes the Cisco ASA and FTD ingest pipeline handle the case
where a domain name is found for a field where an IP is expected
according to the documentation.

To do so it follows ECS guidelines, setting .address to be the raw value
and .ip or .domain from it, depending if it's a valid IP address or not.

Fixes elastic#14034
adriansr added a commit that referenced this issue Oct 14, 2019
This patch makes the Cisco ASA and FTD ingest pipeline handle the case
where a domain name is found for a field where an IP is expected
according to the documentation.

To do so it follows ECS guidelines, setting .address to be the raw value
and .ip or .domain from it, depending if it's a valid IP address or not.

Fixes #14034
adriansr added a commit to adriansr/beats that referenced this issue Oct 14, 2019
This patch makes the Cisco ASA and FTD ingest pipeline handle the case
where a domain name is found for a field where an IP is expected
according to the documentation.

To do so it follows ECS guidelines, setting .address to be the raw value
and .ip or .domain from it, depending if it's a valid IP address or not.

Fixes elastic#14034

(cherry picked from commit a678bc9)
adriansr added a commit that referenced this issue Oct 15, 2019
…d domain names (#14040)

This patch makes the Cisco ASA and FTD ingest pipeline handle the case
where a domain name is found for a field where an IP is expected
according to the documentation.

To do so it follows ECS guidelines, setting .address to be the raw value
and .ip or .domain from it, depending if it's a valid IP address or not.

Fixes #14034

(cherry picked from commit a678bc9)
@HaZet1968
Copy link

Same here for field [source.nat.ip]. Filebeat Version 7.5.2

[2020-01-29T10:03:33,635][WARN ][logstash.outputs.elasticsearch][beats] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"filebeat-7.5.2-2020.01.29", :routing=>nil, :_type=>"_doc", :pipeline=>"filebeat-7.5.2-cisco-asa-asa-ftd-pipeline"}, #<LogStash::Event:0x479fcb69>], :response=>{"index"=>{"_index"=>"filebeat-7.5.2-2020.01.29", "_type"=>"_doc", "_id"=>"RreK8G8BWYzewJIFnCTn", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse field [source.nat.ip] of type [ip] in document with id 'RreK8G8BWYzewJIFnCTn'. Preview of field's value: 'SDC'", "caused_by"=>{"type"=>"illegal_argument_exception", "reason"=>"'SDC' is not an IP string literal."}}}}}

@adriansr adriansr reopened this Jan 29, 2020
@adriansr adriansr self-assigned this Jan 29, 2020
@HaZet1968
Copy link

Anything new here? Still waiting for a fix. Currently using Version 7.6.2

leweafan pushed a commit to leweafan/beats that referenced this issue Apr 28, 2023
…expected domain names (elastic#14040)

This patch makes the Cisco ASA and FTD ingest pipeline handle the case
where a domain name is found for a field where an IP is expected
according to the documentation.

To do so it follows ECS guidelines, setting .address to be the raw value
and .ip or .domain from it, depending if it's a valid IP address or not.

Fixes elastic#14034

(cherry picked from commit 9f20d7c)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
3 participants