Typo in logstash-patterns-core/patterns/ecs-v1/firewalls

Question

Typo in logstash-patterns-core/patterns/ecs-v1/firewalls

ThomSwiss opened this issue 2 years ago · 1 comments

ThomSwiss commented 2 years ago

Logstash information:

Please include the following information:

Logstash version 8.2.2
Logstash installation source: official repo of DEB packages

Description of the problem including expected versus actual behavior:

Logstash pipeline crashes
In the filter logstash-patterns-core/patterns/ecs-v1/firewalls
(on my installation located here: ./usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-patterns-core-4.3.3/patterns/ecs-v1/firewalls)

on line 63, CISCOFW302013_302014_302015_302016 you have a typo. Please correct
[source][user][name?]
to
[source][user][name]
When I change this on my installation, it solves the problem.

Steps to reproduce:
Just use the filter with firewall logs

Provide logs (if relevant):
[2022-06-16T14:56:49,076][WARN ][logstash.filters.grok ] Grok regexp threw exception {:message=>"Invalid FieldReference: [source][user][name", :exception=>RuntimeError, :backtrace=>["org/logstash/ext/JrubyEventExtLibrary.java:112:in get'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-grok-4.4.2/lib/logstash/filters/grok.rb:426:in handle'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-grok-4.4.2/lib/logstash/filters/grok.rb:386:in block in match'", "(eval):21:in block in compile_captures_func'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/jls-grok-0.11.5/lib/grok-pure.rb:202:in capture'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-grok-4.4.2/lib/logstash/filters/grok.rb:386:in block in match'", "org/jruby/RubyArray.java:1821:in each'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-grok-4.4.2/lib/logstash/filters/grok.rb:381:in match'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-grok-4.4.2/lib/logstash/filters/grok.rb:367:in match_against_groks'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-grok-4.4.2/lib/logstash/filters/grok.rb:357:in match'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-grok-4.4.2/lib/logstash/filters/grok.rb:301:in block in filter'", "org/jruby/RubyHash.java:1415:in each'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-grok-4.4.2/lib/logstash/filters/grok.rb:300:in filter'", "/usr/share/logstash/logstash-core/lib/logstash/filters/base.rb:159:in do_filter'", "/usr/share/logstash/logstash-core/lib/logstash/filters/base.rb:178:in block in multi_filter'", "org/jruby/RubyArray.java:1821:in each'", "/usr/share/logstash/logstash-core/lib/logstash/filters/base.rb:175:in
multi_filter'", "org/logstash/config/ir/compiler/AbstractFilterDelegatorExt.java:134:in multi_filter'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:300:in `block in start_workers'"]}

Answer 1 · 2022-06-17T14:15:47.000Z

This issue was mentioned in this discuss topic.

The error is in the pattern CISCOFW302013_302014_302015_302016 in the firewalls pattern file.

The part that should extract the source.user.name is wrong.

It is now:

(?:\(%{DATA:[source][user][name?]}\))

And it should be changed to:

(?:\(%{DATA:[source][user][name]}\))

I was able to replicate the issue in 8.2.3 and changing the pattern file solved it.

Sample message tested (sample for ASA-6-302016)

"Teardown UDP connection 89517928 for ingress_interface:10.0.0.15/61541(some.username) to egress_interface:192.168.0.20/53 duration 0:00:00 bytes 116 (some.username)"

Result after changing the pattern file:

{
          "cisco" => {
        "asa" => {
            "connection_id" => "89517928",
                  "network" => {
                "transport" => "UDP"
            },
                 "duration" => "0:00:00",
                  "outcome" => "Teardown"
        }
    },
        "message" => "Teardown UDP connection 89517928 for ingress_interface:10.0.0.15/61541(some.username) to egress_interface:192.168.0.20/53 duration 0:00:00 bytes 116 (some.username)",
       "@version" => "1",
     "@timestamp" => 2022-06-17T14:00:59.337891Z,
          "event" => {
        "original" => "Teardown UDP connection 89517928 for ingress_interface:10.0.0.15/61541(some.username) to egress_interface:192.168.0.20/53 duration 0:00:00 bytes 116 (some.username)"
    },
       "observer" => {
        "ingress" => {
            "interface" => {
                "name" => "ingress_interface"
            }
        },
         "egress" => {
            "interface" => {
                "name" => "egress_interface"
            }
        }
    },
         "source" => {
        "user" => {
            "name" => "some.username"
        },
          "ip" => "10.0.0.15",
        "port" => 61541
    },
    "destination" => {
          "ip" => "192.168.0.20",
        "port" => 53
    },
        "network" => {
        "bytes" => 116
    },
           "host" => {
        "hostname" => "elk-lab"
    }
}

I can make a PR with this change.