[Filebeat] Enhancement - Pattern for Cisco Message 734001. #16543
Conversation
|
Since this is a community submitted pull request, a Jenkins build has not been kicked off automatically. Can an Elastic organization member please verify the contents of this patch and then kick off a build manually? |
1 similar comment
|
Since this is a community submitted pull request, a Jenkins build has not been kicked off automatically. Can an Elastic organization member please verify the contents of this patch and then kick off a build manually? |
|
Pinging @elastic/siem (Team:SIEM) |
There was a problem hiding this comment.
This looks good to me. Just a minor comment on fields.yml.
Can you please add an entry to the CHANGELOG.next.asciidoc file under the Added/Filebeat section.
From checking the Travis CI output, it looks like you need to run make update from the filebeat and/or x-pack/filebeat directories to re-generate some files.
|
|
||
| - name: dap_records | ||
| type: keyword | ||
| description: -> |
There was a problem hiding this comment.
| description: -> | |
| description: > |
There was a problem hiding this comment.
my bad
This looks good to me. Just a minor comment on fields.yml.
Can you please add an entry to the CHANGELOG.next.asciidoc file under the Added/Filebeat section.
From checking the Travis CI output, it looks like you need to run
make updatefrom the filebeat and/or x-pack/filebeat directories to re-generate some files.
My bad with the wrong "-", I changed them and made a "make update" in the /beats/filebeat/xpack and /beats/filebeat folder
|
|
||
| - name: dap_records | ||
| type: keyword | ||
| description: -> |
There was a problem hiding this comment.
| description: -> | |
| description: > |
I did a "make update" both in beats/x-pack/filebeat/ and /beats/filebeat. Pipeline still failing.
Where can I find it? |
Maybe fixes #16212 The split part is needed, because one has to be able to search for an explicit dap_record. As the records order and number can vary a lot, just saving the whole string makes no sense. I choosed "cisco.user" and "cisco.connection_type", as looking to the syslog messages docs, they also call it like that.
|
I will retry it again merging the current state, as the pipeline fails @andrewkroh @ChrsMark can you please (please) delete this PR as in the commit ammend is a wrong author? Thank you! |
What does this PR do?
Adds a new pipeline pattern for the cisci asa/ftd log messages with the event id 734001.
The split part is needed, because one has to be able to search for an
explicit dap_record. As the records order and number can vary a lot,
just saving the whole string makes no sense. I choosed "user.email", "source.ip" based on the ECS and "cisco.connection_type", "cisco.dap_records" as looking to the syslog messages docs,
they also call it like that.
Why is it important?
We need this filter for troubleshooting VPN Connections
Checklist
- [ ] I have commented my code, particularly in hard-to-understand areas- [ ] I have made corresponding changes to the documentationHow to test this PR locally
Test Logfile is added
Related issues
Closes #16212.