arista_ngfw: fix handling of event.type duplication (#6878)

Author: MakoWish

packages/arista_ngfw/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "0.1.1"
+ changes:
+ - description: Fix bugs in default ingest pipeline
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/6878
 - version: "0.1.0"
  changes:
  - description: Add support for session stats events

packages/arista_ngfw/data_stream/log/_dev/test/pipeline/test-intrusion-detection.log-expected.json

@@ -24,7 +24,6 @@
  "provider": "intrusion_prevention",
  "timezone": "America/Denver",
  "type": [
- "denied",
  "denied"
  ]
  },
@@ -109,7 +108,6 @@
  "provider": "intrusion_prevention",
  "timezone": "America/Denver",
  "type": [
- "denied",
  "denied"
  ]
  },
@@ -191,7 +189,6 @@
  "provider": "intrusion_prevention",
  "timezone": "America/Denver",
  "type": [
- "denied",
  "denied"
  ]
  },
@@ -279,7 +276,6 @@
  "provider": "intrusion_prevention",
  "timezone": "America/Denver",
  "type": [
- "denied",
  "denied"
  ]
  },
@@ -367,7 +363,6 @@
  "provider": "intrusion_prevention",
  "timezone": "America/Denver",
  "type": [
- "denied",
  "denied"
  ]
  },
@@ -455,7 +450,6 @@
  "provider": "intrusion_prevention",
  "timezone": "America/Denver",
  "type": [
- "denied",
  "denied"
  ]
  },
@@ -543,7 +537,6 @@
  "provider": "intrusion_prevention",
  "timezone": "America/Denver",
  "type": [
- "denied",
  "denied"
  ]
  },
@@ -631,7 +624,6 @@
  "provider": "intrusion_prevention",
  "timezone": "America/Denver",
  "type": [
- "denied",
  "denied"
  ]
  },
@@ -719,7 +711,6 @@
  "provider": "intrusion_prevention",
  "timezone": "America/Denver",
  "type": [
- "denied",
  "denied"
  ]
  },
@@ -807,7 +798,6 @@
  "provider": "intrusion_prevention",
  "timezone": "America/Denver",
  "type": [
- "denied",
  "denied"
  ]
  },

packages/arista_ngfw/data_stream/log/elasticsearch/ingest_pipeline/default.yml

@@ -77,6 +77,14 @@ processors:
  return;
  }
  ctx.log.syslog.severity.name = params[(ctx.log.syslog.severity.code).toString()];
+
+ # Remove port number from syslog source, and put to ECS log.syslog.hostname
+ - gsub:
+ if: ctx.log?.source?.address != null && ctx.log.source.address != ''
+ field: log.source.address
+ pattern: :.*
+ replacement: ''
+ target_field: log.syslog.hostname
  
  # Parse the JSON message to arista.*
  - json:
@@ -572,10 +580,14 @@ processors:
  }
  if (ctx.event.category.contains('network') || ctx.event.category.contains('intrusion_detection')) {
  if (ctx.event.outcome == 'success') {
- ctx.event.type.add('allowed');
+ if (ctx.event?.type == null || !ctx.event.type.contains('allowed')) {
+ ctx.event.type.add('allowed');
+ }
  }
  if (ctx.event.outcome == 'failure') {
- ctx.event.type.add('denied');
+ if (ctx.event?.type == null || !ctx.event.type.contains('denied')) {
+ ctx.event.type.add('denied');
+ }
  }
  }
 

packages/arista_ngfw/data_stream/log/fields/ecs.yml

@@ -128,6 +128,8 @@
  name: log.syslog.facility.code
 - external: ecs
  name: log.syslog.facility.name
+- external: ecs
+ name: log.syslog.hostname
 - external: ecs
  name: log.syslog.severity.code
 - external: ecs

packages/arista_ngfw/docs/README.md

@@ -256,6 +256,7 @@ An example event for `log` looks as following:
 | log.source.address | Source address from which the log event was read / sent from. | keyword |
 | log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long |
 | log.syslog.facility.name | The Syslog text-based facility of the log event, if available. | keyword |
+| log.syslog.hostname | The hostname, FQDN, or IP of the machine that originally sent the Syslog message. This is sourced from the hostname field of the syslog header. Depending on the environment, this value may be different from the host that handled the event, especially if the host handling the events is acting as a collector. | keyword |
 | log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long |
 | log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long |
 | log.syslog.severity.name | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different severity value (e.g. firewall, IDS), your source's text severity should go to `log.level`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `log.level`. | keyword |

packages/arista_ngfw/manifest.yml

@@ -1,7 +1,7 @@
 format_version: 2.5.1
 name: arista_ngfw
 title: "Arista NG Firewall"
-version: 0.1.0
+version: 0.1.1
 source:
  license: "Elastic-2.0"
 description: "Collect logs and metrics from Arista NG Firewall."