filebeat: CheckPoint module fails to parse action_reason #25575
Labels
Comments
botelastic
bot
added
the
needs_team
hazcod
changed the title
|
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
botelastic
bot
removed
the
needs_team
6 tasks
legoguy1000
added a commit
to legoguy1000/beats
that referenced
this issue
May 7, 2021
|
@hazcod Can you take a look at the PR I created and see if you think it satisfies the issue? |
|
@legoguy1000 Seems about right, thank you for the fix! |
P1llus
pushed a commit
that referenced
this issue
May 10, 2021
P1llus
added a commit
that referenced
this issue
May 10, 2021
…n its a string, not a Long (#25633) * #25575: Fix `checkpoint.action_reason` when its a string, not a Long (#25609) (cherry picked from commit f432b92) # Conflicts: # x-pack/filebeat/module/checkpoint/fields.go * updating fields.go Co-authored-by: Alex Resnick <adr8292@gmail.com> Co-authored-by: Marius Iversen <marius.iversen@elastic.co>
P1llus
added a commit
that referenced
this issue
May 10, 2021
…n its a string, not a Long (#25634) * #25575: Fix `checkpoint.action_reason` when its a string, not a Long (#25609) (cherry picked from commit f432b92) # Conflicts: # x-pack/filebeat/module/checkpoint/fields.go * updating fields.go Co-authored-by: Alex Resnick <adr8292@gmail.com> Co-authored-by: Marius Iversen <marius.iversen@elastic.co>
leweafan
pushed a commit
to leweafan/beats
that referenced
this issue
Apr 28, 2023
…on` when its a string, not a Long (elastic#25634) * elastic#25575: Fix `checkpoint.action_reason` when its a string, not a Long (elastic#25609) (cherry picked from commit 8b53162) # Conflicts: # x-pack/filebeat/module/checkpoint/fields.go * updating fields.go Co-authored-by: Alex Resnick <adr8292@gmail.com> Co-authored-by: Marius Iversen <marius.iversen@elastic.co>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Sometimes because of an implied rule CheckPoint will put 'Dropped by multiportal infrastructure' into
action_reasoninstead of a Long. This causes filebeat to fail parsing.Error:
Log entry:
{ "agent": { "ephemeral_id": "9a1c8a3a-f80f-4cbe-bd19", "hostname": "server", "id": "a6863ef8-5707-41da-851", "name": "server", "type": "filebeat", "version": "7.12.1" }, "ecs": { "version": "1.8.0" }, "event": { "dataset": "checkpoint.firewall", "module": "checkpoint", "timezone": "+02:00" }, "fileset": { "name": "firewall" }, "host": { "architecture": "x86_64", "containerized": false, "hostname": "server", "id": "919392f2c39a4f19a826a39121aad", "ip": [ "1.1.1.1", ], "mac": [ "00:1a:4a:04:03:00", ], "name": "server", "os": { "codename": "Ootpa", "family": "redhat", "kernel": "xxxx, "name": "Red Hat Enterprise Linux", "platform": "rhel", "type": "linux", "version": "8" } }, "input": { "type": "tcp" }, "log": { "source": { "address": "127.0.0.1:1337" } }, "message": "\\u003c134\\u003e1 2021-05-05T12:27:09Z cp-m CheckPoint 1231 - [action:\"Drop\"; flags:\"278528\"; ifdir:\"inbound\"; ifname:\"bond1.3999\"; loguid:\"{0x60928f1d,0x8,0x40de101f,0xfcdbb197}\"; origin:\"127.0.0.1\"; originsicname:\"CN=CP,O=cp.com.9jjkfo\"; sequencenum:\"62\"; time:\"1620217629\"; version:\"5\"; __policy_id_tag:\"product=VPN-1 \\u0026 FireWall-1[db_tag={F6212FB3-54CE-6344-9164-B224119E2B92};mgmt=cp-m;date=1620031791;policy_name=CP-Cluster\\]\"; action_reason:\"Dropped by multiportal infrastructure\"; dst:\"1.1.1.1\"; product:\"VPN \\u0026 FireWall\"; proto:\"6\"; s_port:\"52780\"; service:\"80\"; src:\"1.1.1.1\"; ]", "service": { "type": "checkpoint" }, "tags": [ "checkpoint", "firewall", "prd" ] }The text was updated successfully, but these errors were encountered: