Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Filebeat] Cisco module asa-ftd pipeline pollutes the mapping when it fails #18391

Closed
weltenwort opened this issue May 8, 2020 · 1 comment · Fixed by #18392
Closed

[Filebeat] Cisco module asa-ftd pipeline pollutes the mapping when it fails #18391

weltenwort opened this issue May 8, 2020 · 1 comment · Fixed by #18392
Assignees
@adriansr
Labels
bug Filebeat Filebeat

Comments

@weltenwort
Copy link
Member

weltenwort commented May 8, 2020
edited
Loading

Filebeat version: 7.4.2

The asa-ftd ingest pipeline of the cisco Filebeat module leaves a lot of _temp_.* fields in the ingested documents if the pipeline fails at the wrong processor. This means that the index mapping size grows dramatically due to the dynamic mapping mechanism and which causes problems when querying the cluster state.
@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label May 8, 2020
@adriansr adriansr self-assigned this May 8, 2020
adriansr added a commit to adriansr/beats that referenced this issue May 8, 2020
@adriansr
Cisco asa/ftd: Remove _temp_ fields on failure
c686c13 
The shared pipeline for Cisco ASA and FTD creates temporary fields under
the _temp_ object. If a failure happens in the middle of the pipeline,
all those fields would be indexed, causing the index mapping to grow too
big.

Fixes elastic#18391
@adriansr adriansr added Team:SIEM and removed needs_team Indicates that the issue/PR needs a Team:* label labels May 8, 2020
@elasticmachine
Copy link
Collaborator

Pinging @elastic/siem (Team:SIEM)

@adriansr adriansr mentioned this issue May 8, 2020
Merged
6 tasks
adriansr added a commit that referenced this issue May 13, 2020
@adriansr
Cisco asa/ftd: Remove _temp_ fields on failure (#18392)
3605c47 
The shared pipeline for Cisco ASA and FTD creates temporary fields under
the _temp_ object. If a failure happens in the middle of the pipeline,
all those fields would be indexed, causing the index mapping to grow too
big.

Fixes #18391
adriansr added a commit to adriansr/beats that referenced this issue May 13, 2020
@adriansr
Cisco asa/ftd: Remove _temp_ fields on failure (elastic#18392)
33a5835 
The shared pipeline for Cisco ASA and FTD creates temporary fields under
the _temp_ object. If a failure happens in the middle of the pipeline,
all those fields would be indexed, causing the index mapping to grow too
big.

Fixes elastic#18391

(cherry picked from commit 3605c47)
@adriansr adriansr mentioned this issue May 13, 2020
Merged
6 tasks
adriansr added a commit to adriansr/beats that referenced this issue May 13, 2020
@adriansr
Cisco asa/ftd: Remove _temp_ fields on failure (elastic#18392)
f7c01a3 
The shared pipeline for Cisco ASA and FTD creates temporary fields under
the _temp_ object. If a failure happens in the middle of the pipeline,
all those fields would be indexed, causing the index mapping to grow too
big.

Fixes elastic#18391

(cherry picked from commit 3605c47)
@adriansr adriansr mentioned this issue May 13, 2020
Merged
6 tasks
adriansr added a commit to adriansr/beats that referenced this issue May 13, 2020
@adriansr
Cisco asa/ftd: Remove _temp_ fields on failure (elastic#18392)
3e8c21c 
The shared pipeline for Cisco ASA and FTD creates temporary fields under
the _temp_ object. If a failure happens in the middle of the pipeline,
all those fields would be indexed, causing the index mapping to grow too
big.

Fixes elastic#18391

(cherry picked from commit 3605c47)
@adriansr adriansr mentioned this issue May 13, 2020
Merged
6 tasks
adriansr added a commit that referenced this issue May 13, 2020
@adriansr
Cisco asa/ftd: Remove _temp_ fields on failure (#18392) (#18475)
7526f6b 
The shared pipeline for Cisco ASA and FTD creates temporary fields under
the _temp_ object. If a failure happens in the middle of the pipeline,
all those fields would be indexed, causing the index mapping to grow too
big.

Fixes #18391

(cherry picked from commit 3605c47)
adriansr added a commit that referenced this issue May 13, 2020
@adriansr
Cisco asa/ftd: Remove _temp_ fields on failure (#18392) (#18476)
8992fa1 
The shared pipeline for Cisco ASA and FTD creates temporary fields under
the _temp_ object. If a failure happens in the middle of the pipeline,
all those fields would be indexed, causing the index mapping to grow too
big.

Fixes #18391

(cherry picked from commit 3605c47)
This was referenced May 13, 2020
Closed
Closed
adriansr added a commit that referenced this issue May 14, 2020
@adriansr
Cisco asa/ftd: Remove _temp_ fields on failure (#18392) (#18474)
2ae668a 
The shared pipeline for Cisco ASA and FTD creates temporary fields under
the _temp_ object. If a failure happens in the middle of the pipeline,
all those fields would be indexed, causing the index mapping to grow too
big.

Fixes #18391

(cherry picked from commit 3605c47)
leweafan pushed a commit to leweafan/beats that referenced this issue Apr 28, 2023
@adriansr
Cisco asa/ftd: Remove _temp_ fields on failure (elastic#18392) (elast…
1f21d75 
…ic#18476)

The shared pipeline for Cisco ASA and FTD creates temporary fields under
the _temp_ object. If a failure happens in the middle of the pipeline,
all those fields would be indexed, causing the index mapping to grow too
big.

Fixes elastic#18391

(cherry picked from commit 9c3faed)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@adriansr adriansr

Labels
bug Filebeat Filebeat
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Cisco asa/ftd: Remove _temp_ fields on failure adriansr/beats
3 participants
@weltenwort @adriansr @elasticmachine