Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Arista NG Firewall]: Grok Parsing Errors Due to Updated Syslog Message Format #12175

Open
MakoWish opened this issue Dec 22, 2024 · 1 comment · May be fixed by #12176
Open

[Arista NG Firewall]: Grok Parsing Errors Due to Updated Syslog Message Format #12175

MakoWish opened this issue Dec 22, 2024 · 1 comment · May be fixed by #12176
Labels
Integration:arista_ngfw Arista NG Firewall needs:triage Team:Security-Deployment and Devices Deployment and Devices Security team [elastic/sec-deployment-and-devices]

Comments

@MakoWish
Copy link
Contributor

Integration Name

Arista NG Firewall [arista_ngfw]

Dataset Name

log

Integration Version

1.2.0

Agent Version

8.17.0

Agent Output Type

elasticsearch

Elasticsearch Version

8.17.0

OS Version and Architecture

Kubuntu 24.04

Software/API Version

No response

Error Message

Provided Grok expressions do not match field value: [<13>Dec 22 09:21:53 INFO uvm[0]: {"timeStamp":"2024-12-22 09:21:53.169","flagged":false,"blocked":false,"sessionId":113689597121086,"ruleId":0,"class":"class com.untangle.app.firewall.FirewallEvent"}]

Event Original

<13>Dec 22 09:21:53 INFO uvm[0]: {"timeStamp":"2024-12-22 09:21:53.169","flagged":false,"blocked":false,"sessionId":113689597121086,"ruleId":0,"class":"class com.untangle.app.firewall.FirewallEvent"}

What did you do?

Basic configuration.

What did you see?

Image

What did you expect to see?

Image

Anything else?

I just reboot my firewall the other day, and that is when the issue started. It seems where there was previously two spaces after the uvm[0]: in the Syslog messages, the format was changed by Arista to have only a single space. The Grok pattern will need to be updated in account for either one or two spaces. Regex handles the issue with the new Grok pattern being:

<%{NONNEGINT:log.syslog.priority:int}>%{SYSLOGTIMESTAMP:_temp_.raw_date} %{WORD}  %{NOTSPACE}\:[\s]+%{GREEDYDATA:_temp_.full_message}

A PR will be pushed with a fix shortly.

@MakoWish MakoWish changed the title [Integration Name]: Brief description of the issue [Arista NG Firewall]: Grok Parsing Errors Due to Updated Syslog Message Format Dec 22, 2024
@andrewkroh andrewkroh added Integration:arista_ngfw Arista NG Firewall Team:Security-Deployment and Devices Deployment and Devices Security team [elastic/sec-deployment-and-devices] labels Dec 23, 2024
@elasticmachine
Copy link

Pinging @elastic/sec-deployment-and-devices (Team:Security-Deployment and Devices)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Integration:arista_ngfw Arista NG Firewall needs:triage Team:Security-Deployment and Devices Deployment and Devices Security team [elastic/sec-deployment-and-devices]
Projects
None yet
3 participants