[Cisco Secure Email Gateway] Fix for grok if hostname appears before category.name in Cisco secure email gateway package#9160
Conversation
7bb5123 to
f95d612
Compare
f95d612 to
4131f79
Compare
🚀 Benchmarks reportTo see the full report comment with |
💚 Build Succeeded
History
|
|
100.0% Coverage on New Code
0.0% Duplication on New Code| patterns: | ||
| - '^(?:<%{NUMBER:log.syslog.priority:long}>)?%{SYSLOGTIMESTAMP:_tmp.timestamp} %{DATA:cisco_secure_email_gateway.log.category.name}: %{WORD:log.level}: %{GREEDYDATA:cisco_secure_email_gateway.log.message}$' | ||
| - '^(?:<%{NUMBER:log.syslog.priority:long}>)?%{SYSLOGTIMESTAMP:_tmp.timestamp} %{DATA:cisco_secure_email_gateway.log.category.name}: %{GREEDYDATA:cisco_secure_email_gateway.log.message}$' | ||
| - '^(?:<%{NUMBER:log.syslog.priority:long}>)?%{SYSLOGTIMESTAMP:_tmp.timestamp} (?:%{HOSTNAME:cisco_secure_email_gateway.log.host} )?%{DATA:cisco_secure_email_gateway.log.category.name}: %{WORD:log.level}: %{GREEDYDATA:cisco_secure_email_gateway.log.message}$' |
There was a problem hiding this comment.
As an aside, and I don't think this is a problem here based on the patterns I'm seeing, but the HOSTNAME grok pattern can match against all numbers ([0-9]+). I had a problem with this in the Cisco IOS package where pattern matches were short-circuiting due to that loose HOSTNAME pattern. At least the header variations here seem to be a bit more concise. There were at least 20 different header variations that I counted in the IOS package.
| patterns: | ||
| - '^(?:<%{NUMBER:log.syslog.priority:long}>)?%{SYSLOGTIMESTAMP:_tmp.timestamp} %{DATA:cisco_secure_email_gateway.log.category.name}: %{WORD:log.level}: %{GREEDYDATA:cisco_secure_email_gateway.log.message}$' | ||
| - '^(?:<%{NUMBER:log.syslog.priority:long}>)?%{SYSLOGTIMESTAMP:_tmp.timestamp} %{DATA:cisco_secure_email_gateway.log.category.name}: %{GREEDYDATA:cisco_secure_email_gateway.log.message}$' | ||
| - '^(?:<%{NUMBER:log.syslog.priority:long}>)?%{SYSLOGTIMESTAMP:_tmp.timestamp} (?:%{HOSTNAME:cisco_secure_email_gateway.log.host} )?%{DATA:cisco_secure_email_gateway.log.category.name}: %{WORD:log.level}: %{GREEDYDATA:cisco_secure_email_gateway.log.message}$' |
There was a problem hiding this comment.
I'm also wondering if we should set log.syslog.hostname first, then copy it to cisco_secure_email_gateway.log.host in a separate processor.
https://www.elastic.co/guide/en/ecs/current/ecs-log.html#field-log-syslog-hostname
The risk I could see here is if that hostname isn't the actual hostname of the device (i.e., it's the hostname of a syslog collector).
There was a problem hiding this comment.
After thinking about this some more, let's go with cisco_secure_email_gateway.log.host for now. Based on the sample logs in the package, if an event comes in through a log file, it will no longer have the syslog header, so the scenario I'm thinking of shouldn't happen. No actions/changes needed for now.
There was a problem hiding this comment.
OK, thanks for digging deeper, @taylor-swanson. In the meantime, I have requested some more information in the SDH to verify that this is, indeed, the Cisco device hostname. I will merge this once that verification is complete.
There was a problem hiding this comment.
Confirmed with the customer that this is, in fact, the Cisco device.
|
Package cisco_secure_email_gateway - 1.22.2 containing this change is available at https://epr.elastic.co/search?package=cisco_secure_email_gateway |
…category.name in Cisco secure email gateway package #9160)
…category.name in Cisco secure email gateway package #9160)
…category.name in Cisco secure email gateway package #9160)
Proposed commit message
Fix for grok if hostname appears before category.name in Cisco secure email gateway package
Checklist
changelog.ymlfile.Related issues