Skip to content

[cisco_ftd] Fix grok failure with username with spaces on ftd messageID.#11198

Merged
aleksmaus merged 5 commits intoelastic:mainfrom
aleksmaus:fix/cisco_ftd_grok
Oct 2, 2024
Merged

[cisco_ftd] Fix grok failure with username with spaces on ftd messageID.#11198
aleksmaus merged 5 commits intoelastic:mainfrom
aleksmaus:fix/cisco_ftd_grok

Conversation

@aleksmaus
Copy link
Copy Markdown
Contributor

@aleksmaus aleksmaus commented Sep 20, 2024

Proposed commit message

Fix grok failure with username with spaces on ftd messageID.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.

Related issues

@aleksmaus aleksmaus added Integration:cisco_ftd Cisco FTD bugfix Pull request that fixes a bug issue Team:Security-Deployment and Devices DEPRECATED Deployment and Devices Security team [elastic/sec-deployment-and-devices] labels Sep 20, 2024
@aleksmaus aleksmaus self-assigned this Sep 20, 2024
@aleksmaus aleksmaus requested a review from a team as a code owner September 20, 2024 13:21
@elasticmachine
Copy link
Copy Markdown

elasticmachine commented Sep 20, 2024

Pinging @elastic/sec-deployment-and-devices (Team:Security-Deployment and Devices)

taylor-swanson
taylor-swanson reviewed Sep 23, 2024
View reviewed changes
Copy link
Copy Markdown
Contributor

@taylor-swanson taylor-swanson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm really not sure why these patterns were made to be so complicated. As these issues have come up, I've started taking this approach over in cisco_asa: https://github.com/elastic/integrations/blob/main/packages/cisco_asa/data_stream/log/elasticsearch/ingest_pipeline/default.yml#L935

At the end of the day, the values we extract are either made of "not angle brackets" or "not spaces", depending on which pattern in the grok is used. We definitely need to get out of the business of trying to validate these logs.

I highly recommend the same approach here.

@aleksmaus
Copy link
Copy Markdown
Contributor Author

aleksmaus commented Oct 1, 2024

@taylor-swanson I updated the grok patterns per your suggestion. Could you take another look and give it 👍 ?

@elastic-vault-github-plugin-prod
Copy link
Copy Markdown

elastic-vault-github-plugin-prod Bot commented Oct 1, 2024

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

@elasticmachine
Copy link
Copy Markdown

elasticmachine commented Oct 1, 2024

💚 Build Succeeded

History

cc @aleksmaus

@elastic-sonarqube
Copy link
Copy Markdown

elastic-sonarqube Bot commented Oct 1, 2024

Quality Gate passed Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
71.4% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube

@aleksmaus aleksmaus merged commit 6f47989 into elastic:main Oct 2, 2024
@elastic-vault-github-plugin-prod
Copy link
Copy Markdown

elastic-vault-github-plugin-prod Bot commented Oct 2, 2024

Package cisco_ftd - 3.4.2 containing this change is available at https://epr.elastic.co/search?package=cisco_ftd

harnish-crest-data pushed a commit to chavdaharnish/integrations that referenced this pull request Feb 4, 2025
@aleksmaus
[cisco_ftd] Fix grok failure with username with spaces on ftd message…
1d22441 
…ID. (elastic#11198)

* [cisco_ftd] Fix grok failure with username with spaces on ftd messageID.

* Update changelog PR number

* Fix test files names

* Change the pipeline grok per code review feedback
harnish-crest-data pushed a commit to chavdaharnish/integrations that referenced this pull request Feb 5, 2025
@aleksmaus
[cisco_ftd] Fix grok failure with username with spaces on ftd message…
3d1a66e 
…ID. (elastic#11198)

* [cisco_ftd] Fix grok failure with username with spaces on ftd messageID.

* Update changelog PR number

* Fix test files names

* Change the pipeline grok per code review feedback
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gogochan gogochan gogochan approved these changes

@taylor-swanson taylor-swanson Awaiting requested review from taylor-swanson

Assignees

@aleksmaus aleksmaus

Labels

bugfix Pull request that fixes a bug issue Integration:cisco_ftd Cisco FTD Team:Security-Deployment and Devices DEPRECATED Deployment and Devices Security team [elastic/sec-deployment-and-devices]

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[cisco_ftd]: Can't Grok Username with spaces on ftd messageID 113039

4 participants

@aleksmaus @elasticmachine @gogochan @taylor-swanson