Skip to content

[cisco_ftd] Fix grok failure with username with spaces on ftd messageID. #11198

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
aleksmaus merged 5 commits into from
Oct 2, 2024
Merged

[cisco_ftd] Fix grok failure with username with spaces on ftd messageID. #11198

aleksmaus merged 5 commits into from
Oct 2, 2024

Conversation

@aleksmaus
Copy link
Contributor

@aleksmaus aleksmaus commented Sep 20, 2024

Proposed commit message

Fix grok failure with username with spaces on ftd messageID.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.

Related issues
@aleksmaus aleksmaus added Integration:cisco_ftd Cisco FTD bugfix Pull request that fixes a bug issue Team:Security-Deployment and Devices DEPRECATED Deployment and Devices Security team [elastic/sec-deployment-and-devices] labels Sep 20, 2024
@aleksmaus aleksmaus self-assigned this Sep 20, 2024
@aleksmaus aleksmaus requested a review from a team as a code owner September 20, 2024 13:21
@elasticmachine
Copy link

elasticmachine commented Sep 20, 2024

Pinging @elastic/sec-deployment-and-devices (Team:Security-Deployment and Devices)
taylor-swanson
taylor-swanson reviewed Sep 23, 2024
View reviewed changes
Copy link
Contributor

@taylor-swanson taylor-swanson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm really not sure why these patterns were made to be so complicated. As these issues have come up, I've started taking this approach over in cisco_asa: https://github.com/elastic/integrations/blob/main/packages/cisco_asa/data_stream/log/elasticsearch/ingest_pipeline/default.yml#L935

At the end of the day, the values we extract are either made of "not angle brackets" or "not spaces", depending on which pattern in the grok is used. We definitely need to get out of the business of trying to validate these logs.

I highly recommend the same approach here.
@aleksmaus
Copy link
Contributor Author

aleksmaus commented Oct 1, 2024

@taylor-swanson I updated the grok patterns per your suggestion. Could you take another look and give it 👍 ?
@elastic-vault-github-plugin-prod
Copy link

elastic-vault-github-plugin-prod bot commented Oct 1, 2024

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport
@elasticmachine
Copy link

elasticmachine commented Oct 1, 2024

💚 Build Succeeded

History

cc @aleksmaus
@elastic-sonarqube
Copy link

elastic-sonarqube bot commented Oct 1, 2024

Quality Gate passed Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
71.4% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube
@aleksmaus aleksmaus merged commit 6f47989 into elastic:main Oct 2, 2024
@elastic-vault-github-plugin-prod
Copy link

elastic-vault-github-plugin-prod bot commented Oct 2, 2024

Package cisco_ftd - 3.4.2 containing this change is available at https://epr.elastic.co/search?package=cisco_ftd
harnish-crest-data pushed a commit to chavdaharnish/integrations that referenced this pull request Feb 4, 2025
@aleksmaus
[cisco_ftd] Fix grok failure with username with spaces on ftd message…
1d22441 
…ID. (elastic#11198) * [cisco_ftd] Fix grok failure with username with spaces on ftd messageID. * Update changelog PR number * Fix test files names * Change the pipeline grok per code review feedback
harnish-crest-data pushed a commit to chavdaharnish/integrations that referenced this pull request Feb 5, 2025
@aleksmaus
[cisco_ftd] Fix grok failure with username with spaces on ftd message…
3d1a66e 
…ID. (elastic#11198) * [cisco_ftd] Fix grok failure with username with spaces on ftd messageID. * Update changelog PR number * Fix test files names * Change the pipeline grok per code review feedback
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

bugfix Pull request that fixes a bug issue Integration:cisco_ftd Cisco FTD Team:Security-Deployment and Devices DEPRECATED Deployment and Devices Security team [elastic/sec-deployment-and-devices]

4 participants

@aleksmaus @elasticmachine @gogochan @taylor-swanson