Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sophos UTM Integration incorrectly parses message header #1540

Closed
bcallaghan-et opened this issue Aug 17, 2021 · 1 comment · Fixed by elastic/beats#28638 or #2034
Closed

Sophos UTM Integration incorrectly parses message header #1540

bcallaghan-et opened this issue Aug 17, 2021 · 1 comment · Fixed by elastic/beats#28638 or #2034
Assignees
@adriansr
Labels
bug Something isn't working, use only for issues

Comments

@bcallaghan-et
Copy link

I am using the Sophos integration to read UTM logs from a local file. Each of the log messages has a format similar to the following examples. It's important to note that utm-2 (the firewall's hostname) is included in the header of every message.

2021:07:27-20:50:52 utm-2 ulogd[27536]: <payload>
2021:07:27-20:50:52 utm-2 httpproxy[18317]: <payload>
2021:07:27-20:51:02 utm-2 dhcpd: <payload>

When these messages are ingested into Elasticsearch, the field event.code contains utm-2 ulogd, rather than the expected ulogd. Further, the expected source/destination/network fields are not filled in, likely because the message ID was parsed incorrectly.

Examining the source code of the pipeline, the likely culprit is Line 2722, which was intended to match line headers that do not contain a hostname. However, the pattern hdr1 is more general than hdr2 and will always match my log lines, even though hdr2 is a more accurate match.
@elasticmachine
Copy link

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

@andrewkroh andrewkroh added the bug Something isn't working, use only for issues label Oct 21, 2021
This was referenced Oct 26, 2021
Merged
Merged
adriansr added a commit that referenced this issue Oct 29, 2021
@adriansr
Sophos[1.0.5]: Support logs with hostname in syslog header (#2034)
82474cc 
Updates the sophos/utm datastream to support logs that include a
hostname in their syslog header.

Closes #1540
eyalkraft pushed a commit to build-security/integrations that referenced this issue Mar 30, 2022
@adriansr
Sophos[1.0.5]: Support logs with hostname in syslog header (elastic#2034
9e643f4 
)

Updates the sophos/utm datastream to support logs that include a
hostname in their syslog header.

Closes elastic#1540
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@adriansr adriansr

Labels
bug Something isn't working, use only for issues
Projects
None yet
Milestone
No milestone
5 participants
@jsoriano @andrewkroh @adriansr @elasticmachine @bcallaghan-et