Typo in logstash-patterns-core/patterns/ecs-v1/firewalls
ThomSwiss opened this issue · 1 comments
Logstash information:
Please include the following information:
- Logstash version 8.2.2
- Logstash installation source: official repo of DEB packages
Description of the problem including expected versus actual behavior:
- Logstash pipeline crashes
- In the filter logstash-patterns-core/patterns/ecs-v1/firewalls
(on my installation located here: ./usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-patterns-core-4.3.3/patterns/ecs-v1/firewalls)
on line 63, CISCOFW302013_302014_302015_302016 you have a typo. Please correct
[source][user][name?]
to
[source][user][name]
When I change this on my installation, it solves the problem.
Steps to reproduce:
Just use the filter with firewall logs
Provide logs (if relevant):
[2022-06-16T14:56:49,076][WARN ][logstash.filters.grok ] Grok regexp threw exception {:message=>"Invalid FieldReference: [source][user][name
", :exception=>RuntimeError, :backtrace=>["org/logstash/ext/JrubyEventExtLibrary.java:112:in get'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-grok-4.4.2/lib/logstash/filters/grok.rb:426:in
handle'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-grok-4.4.2/lib/logstash/filters/grok.rb:386:in block in match'", "(eval):21:in
block in compile_captures_func'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/jls-grok-0.11.5/lib/grok-pure.rb:202:in capture'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-grok-4.4.2/lib/logstash/filters/grok.rb:386:in
block in match'", "org/jruby/RubyArray.java:1821:in each'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-grok-4.4.2/lib/logstash/filters/grok.rb:381:in
match'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-grok-4.4.2/lib/logstash/filters/grok.rb:367:in match_against_groks'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-grok-4.4.2/lib/logstash/filters/grok.rb:357:in
match'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-grok-4.4.2/lib/logstash/filters/grok.rb:301:in block in filter'", "org/jruby/RubyHash.java:1415:in
each'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-grok-4.4.2/lib/logstash/filters/grok.rb:300:in filter'", "/usr/share/logstash/logstash-core/lib/logstash/filters/base.rb:159:in
do_filter'", "/usr/share/logstash/logstash-core/lib/logstash/filters/base.rb:178:in block in multi_filter'", "org/jruby/RubyArray.java:1821:in
each'", "/usr/share/logstash/logstash-core/lib/logstash/filters/base.rb:175:in
multi_filter'", "org/logstash/config/ir/compiler/AbstractFilterDelegatorExt.java:134:in
multi_filter'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:300:in `block in start_workers'"]}
This issue was mentioned in this discuss topic.
The error is in the pattern CISCOFW302013_302014_302015_302016
in the firewalls
pattern file.
The part that should extract the source.user.name
is wrong.
It is now:
(?:\(%{DATA:[source][user][name?]}\))
And it should be changed to:
(?:\(%{DATA:[source][user][name]}\))
I was able to replicate the issue in 8.2.3
and changing the pattern file solved it.
Sample message tested (sample for ASA-6-302016
)
"Teardown UDP connection 89517928 for ingress_interface:10.0.0.15/61541(some.username) to egress_interface:192.168.0.20/53 duration 0:00:00 bytes 116 (some.username)"
Result after changing the pattern file:
{
"cisco" => {
"asa" => {
"connection_id" => "89517928",
"network" => {
"transport" => "UDP"
},
"duration" => "0:00:00",
"outcome" => "Teardown"
}
},
"message" => "Teardown UDP connection 89517928 for ingress_interface:10.0.0.15/61541(some.username) to egress_interface:192.168.0.20/53 duration 0:00:00 bytes 116 (some.username)",
"@version" => "1",
"@timestamp" => 2022-06-17T14:00:59.337891Z,
"event" => {
"original" => "Teardown UDP connection 89517928 for ingress_interface:10.0.0.15/61541(some.username) to egress_interface:192.168.0.20/53 duration 0:00:00 bytes 116 (some.username)"
},
"observer" => {
"ingress" => {
"interface" => {
"name" => "ingress_interface"
}
},
"egress" => {
"interface" => {
"name" => "egress_interface"
}
}
},
"source" => {
"user" => {
"name" => "some.username"
},
"ip" => "10.0.0.15",
"port" => 61541
},
"destination" => {
"ip" => "192.168.0.20",
"port" => 53
},
"network" => {
"bytes" => 116
},
"host" => {
"hostname" => "elk-lab"
}
}
I can make a PR with this change.