-
Notifications
You must be signed in to change notification settings - Fork 4.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Filebeat][Fortinet Module] Small bugfixes for time formats and IP address arrays #19316
[Filebeat][Fortinet Module] Small bugfixes for time formats and IP address arrays #19316
Conversation
…not in seconds, added new timezone format option. New testlogs has been added
Pinging @elastic/siem (Team:SIEM) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
could you add a changelog entry?
code changes look good.
Done @leehinman |
This update does not fix all the date format issues. Using the following event: <189>date=2020-06-24 time=01:16:08 devname="LAB-AH-BCN-FG01" devid="FG5H1E5818905592" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="OPERATIONAL" eventtime=1592961368 srcip=10.38.160.201 srcport=60899 srcintf="ATM-GAMMA" srcintfrole="lan" dstip=10.38.34.3 dstport=161 dstintf="CORE-OPS" dstintfrole="lan" sessionid=1539390213 proto=17 action="deny" policyid=0 policytype="policy" service="SNMP" dstcountry="Reserved" srccountry="Reserved" trandisp="noop" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 appcat="unscanned" crscore=30 craction=131072 crlevel="high" results in this parsing error Fortigate version 6.0.5 |
Il take a look @rosswakelin . This specific case was not known to me, as we do handle non-tz events in the pipeline, though seems not in this case. I will add the fix soon and include it + add another log event similar to yours (though anonymized) to our unit tests. |
@rosswakelin Much appreciated for the comment, it has now been resolved with the last commit and tests updated to catch anything similar later. Since we do not know anything about the timezone we will have to default to something, currently that is UTC |
…dress arrays (elastic#19316) * added split for when dns is array * only fix eventtime if the time is not in seconds * added new timezone format option * new testlogs has been added * updated changelog * fixing format set for events with non timezones (cherry picked from commit 39961ad)
…dress arrays (elastic#19316) * added split for when dns is array * only fix eventtime if the time is not in seconds * added new timezone format option * new testlogs has been added * updated changelog * fixing format set for events with non timezones (cherry picked from commit 39961ad)
…dress arrays (#19316) (#19373) * added split for when dns is array * only fix eventtime if the time is not in seconds * added new timezone format option * new testlogs has been added * updated changelog * fixing format set for events with non timezones (cherry picked from commit 39961ad) Co-authored-by: Marius Iversen <[email protected]>
…dress arrays (#19316) (#19374) * added split for when dns is array * only fix eventtime if the time is not in seconds * added new timezone format option * new testlogs has been added * updated changelog * fixing format set for events with non timezones (cherry picked from commit 39961ad) Co-authored-by: Marius Iversen <[email protected]>
finding time errors in event.start, i added UNIX alongside UNIX_MS to formats in pipeline.yml, this should now cover seconds and milliseconds? |
…dress arrays (elastic#19316) * added split for when dns is array * only fix eventtime if the time is not in seconds * added new timezone format option * new testlogs has been added * updated changelog * fixing format set for events with non timezones
What does this PR do?
This PR resolves reported issues around the eventtime field being in both seconds and milliseconds and that the field ipaddr can also be an array.
Why is it important?
Resolves niche usecases that would otherwise throw an error
Checklist
CHANGELOG.next.asciidoc
orCHANGELOG-developer.next.asciidoc
.Author's Checklist
Added new logs and reran nosetests to ensure it was fixed.
Related issues