[Check Point] Field checkpoint.source_object mapped incorrectly as long #25124

inqueue · 2021-04-16T19:37:02Z

Version: 7.11.2
Operating System: n/a
Steps to Reproduce:

./filebeat setup
observe field mapping for checkpoint.source_object

According to https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk144192, Check Point module field checkpoint.source_object should be mapped as a string type instead of long. Events with the field can encounter a mapper_parsing_exception with the current template:

[2021-04-02T17:07:49,508][WARN ][logstash.outputs.elasticsearch][checkpoint-security][checkpoint-security] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"checkpoint-security_filebeat-7.11.2", :routing=>nil, :pipeline=>"filebeat-7.11.2-checkpoint-firewall-pipeline"}, #LogStash::Event:0x36ebe333], :response=>{"index"=>{"_index"=>"checkpoint-security_filebeat-7.11.2-2021.04.02-000021", "_type"=>"_doc", "_id"=>"2FYgk3gB7n6nMgM0RtU0", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse field [checkpoint.source_object] of type [long] in document with id '2FYgk3gB7n6nMgM0RtU0'. Preview of field's value: 'Africa'", "caused_by"=>{"type"=>"illegal_argument_exception", "reason"=>"For input string: "Africa""}}}}}

Workaround

To workaround, override the default field mapping with an additional higher order template.

PUT /_template/filebeat-checkpoint-source-object-override
{
  "order": 10,
  "index_patterns": [
    "filebeat-*"
  ],
  "mappings": {
    "properties": {
      "checkpoint": {
        "properties": {
          "source_object": {
            "ignore_above": 1024,
            "type": "keyword"
          }
        }
      }
    }
  }
}

The field will have the correct mapping when a new Filebeat index is created.

The text was updated successfully, but these errors were encountered:

legoguy1000 · 2021-04-18T05:23:05Z

Good find. Easy fix to update the module.

elasticmachine · 2021-04-19T08:40:25Z

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

legoguy1000 · 2021-04-19T14:27:12Z

I made the change to source_object but I'm not even seeing it as a field thats parsed/set via Filebeat or the ingest pipeline (https://github.com/elastic/beats/blob/master/x-pack/filebeat/module/checkpoint/firewall/ingest/pipeline.yml). Are you doing it via a custom logstash pipeline?

legoguy1000 · 2021-04-19T14:33:08Z

I just created a draft PR. If you think it solves your issue, I will move take it out of draft.

* #25124: Update `checkpoint.source_object` mapping * Update generated Co-authored-by: Andrew Kroh <andrew.kroh@elastic.co>

* #25124: Update `checkpoint.source_object` mapping * Update generated Co-authored-by: Andrew Kroh <andrew.kroh@elastic.co> (cherry picked from commit a5e6e5b)

* #25124: Update `checkpoint.source_object` mapping * Update generated Co-authored-by: Andrew Kroh <andrew.kroh@elastic.co> (cherry picked from commit a5e6e5b) Co-authored-by: Alex Resnick <adr8292@gmail.com>

According to https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk144192, Check Point module field checkpoint.source_object should be mapped as a string type instead of long. Syncs change from: elastic/beats@a5e6e5b Relates: elastic/beats#25124

According to https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk144192, Check Point module field checkpoint.source_object should be mapped as a string type instead of integer. Syncs change from: elastic/beats@a5e6e5b Relates: elastic/beats#25124 Other changes: - use ECS `log.file.path` - add `event.original` mapping - sort fields.yml by field name This was observed while preparing elastic/beats#31076.

inqueue added bug module Filebeat Filebeat labels Apr 16, 2021

botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Apr 16, 2021

jamiehynds added the Team:Security-External Integrations label Apr 19, 2021

botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Apr 19, 2021

jamiehynds removed the module label Apr 19, 2021

legoguy1000 mentioned this issue Apr 19, 2021

[Filebeat] Update checkpoint.source_object mapping #25145

Merged

6 tasks

legoguy1000 added a commit to legoguy1000/beats that referenced this issue Apr 19, 2021

elastic#25124: Update checkpoint.source_object mapping

5a5acb4

andrewkroh closed this as completed in #25145 Apr 26, 2021

andrewkroh added a commit that referenced this issue Apr 26, 2021

[Filebeat] Update checkpoint.source_object mapping (#25145)

a5e6e5b

* #25124: Update `checkpoint.source_object` mapping * Update generated Co-authored-by: Andrew Kroh <andrew.kroh@elastic.co>

andrewkroh mentioned this issue Mar 31, 2022

[checkpoint] Fix checkpoint.source_object mapping elastic/integrations#2951

Merged

4 tasks

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Check Point] Field checkpoint.source_object mapped incorrectly as long #25124

[Check Point] Field checkpoint.source_object mapped incorrectly as long #25124

inqueue commented Apr 16, 2021

legoguy1000 commented Apr 18, 2021

elasticmachine commented Apr 19, 2021

legoguy1000 commented Apr 19, 2021

legoguy1000 commented Apr 19, 2021

[Check Point] Field checkpoint.source_object mapped incorrectly as long #25124

[Check Point] Field checkpoint.source_object mapped incorrectly as long #25124

Comments

inqueue commented Apr 16, 2021

Workaround

legoguy1000 commented Apr 18, 2021

elasticmachine commented Apr 19, 2021

legoguy1000 commented Apr 19, 2021

legoguy1000 commented Apr 19, 2021