Skip to content

[Fortinet Fortigate] Add url parsing error handling #12895

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
gogochan merged 9 commits into from
Mar 4, 2025
Merged

[Fortinet Fortigate] Add url parsing error handling #12895

gogochan merged 9 commits into from
Mar 4, 2025

Conversation

@gogochan
Copy link
Contributor

@gogochan gogochan commented Feb 25, 2025
edited
Loading

Proposed commit message

This PR adds error message for Fortinet Firewall if url parsing fails parsing
https://github.com/elastic/sdh-beats/issues/5691

The test file was removed since elastic-package cannot handle the test data with error.message field.

update

Instead of generating a dedicated field, I choose to populate the error message as it displays the original url.

 { + "@timestamp": "2025-02-05T00:19:02.000-07:00", + "destination": { + "ip": "10.7.3.6", + "port": 80 + }, + "ecs": { + "version": "8.17.0" + }, + "error": { + "message": [ + "url parsing failed with message unable to parse URI [%/%70%68%70%70%61%74%68/%70%68%70?%2d%64+%61%6c%6c%6f%77%5f%75%72%6c%5f%69%6e%63%6c%75%64%65%3d%6f%6e+%2d%64+%73%61%66%65%5f%6d%6f%64%65%3d%6f%66%66+%2d%64+%73%75%68%6f%73%69%6e%2e%73%69%6d%75%6c%61%74%69%6f%6e%3d%6f%6e+%2d%64+%64%69%73%61%62%6c%65%5f%66%75]" + ] + },

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

Author's Checklist

  • [ ]

How to test this PR locally

Related issues

Screenshots
@gogochan gogochan added the Team:Security-Deployment and Devices DEPRECATED Deployment and Devices Security team [elastic/sec-deployment-and-devices] label Feb 25, 2025
@gogochan gogochan marked this pull request as ready for review February 25, 2025 22:35
@gogochan gogochan requested a review from a team as a code owner February 25, 2025 22:35
@elasticmachine
Copy link

elasticmachine commented Feb 25, 2025

Pinging @elastic/sec-deployment-and-devices (Team:Security-Deployment and Devices)
@elastic-vault-github-plugin-prod
Copy link

elastic-vault-github-plugin-prod bot commented Feb 26, 2025
edited
Loading

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport
taylor-swanson
taylor-swanson reviewed Feb 27, 2025
View reviewed changes
Copy link
Contributor

@taylor-swanson taylor-swanson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm a bit confused, the description says this will store the original url under url.original, but I'm only seeing us appending to error.message. Does uri_parts failing automatically put the original url under url.original?
@gogochan
Copy link
Contributor Author

gogochan commented Feb 27, 2025

I'm a bit confused, the description says this will store the original url under url.original, but I'm only seeing us appending to error.message. Does uri_parts failing automatically put the original url under url.original?

sorry about that. I updated the PR message late. I have added additional detail and sample output.
taylor-swanson
taylor-swanson reviewed Mar 3, 2025
View reviewed changes
@elastic-sonarqube
Copy link

elastic-sonarqube bot commented Mar 3, 2025

Quality Gate passed Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
100.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube
@elasticmachine
Copy link

elasticmachine commented Mar 3, 2025

💚 Build Succeeded

History
@gogochan gogochan merged commit ee6f8bb into main Mar 4, 2025
7 checks passed
@gogochan gogochan deleted the sdh/5691 branch March 4, 2025 19:11
@elastic-vault-github-plugin-prod
Copy link

elastic-vault-github-plugin-prod bot commented Mar 4, 2025

Package fortinet_fortigate - 1.30.0 containing this change is available at https://epr.elastic.co/package/fortinet_fortigate/1.30.0/
@andrewkroh andrewkroh added the Integration:fortinet_fortigate Fortinet FortiGate Firewall Logs label Mar 13, 2025
flexitrev pushed a commit that referenced this pull request Mar 20, 2025
@gogochan @flexitrev
[Fortinet Fortigate] Add url parsing error handling (#12895)
0b9edd0
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Integration:fortinet_fortigate Fortinet FortiGate Firewall Logs Team:Security-Deployment and Devices DEPRECATED Deployment and Devices Security team [elastic/sec-deployment-and-devices]

5 participants

@gogochan @elasticmachine @taylor-swanson @andrewkroh