[cisco_asa] Time with fraction-of-seconds support

[jrmolin]

Proposed commit message

[cisco_asa] Timestamp with fraction-of-seconds now parsed

• Some Cisco timestamps had fraction-of-second showing up and causing pipeline errors
• Two new log examples added
• No existing pipeline tests failed
• New logs parsed successfully

Checklist

• I have reviewed tips for building integrations and this pull request is aligned with them.
• I have verified that all data streams collect metrics or logs.
• I have added an entry to my package's changelog.yml file.
• I have verified that Kibana version constraints are current according to guidelines.
• [ ] I have verified that any added dashboard complies with Kibana's Dashboard good practices

Author's Checklist

• [ ]

How to test this PR locally

cd packages/cisco_asa elastic-package test pipeline 

Related issues

Screenshots

[elastic-vault-github-plugin-prod]

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

[jrmolin]

previous PR: #12202

[mjwolf]

This looks good to me, but could you also add a test case with both fractions-of-seconds and a non-UTC timezone? It would be good to verify they work together

[taylor-swanson]

This is getting a bit ridiculous... I think we should look at re-doing this part.

I was playing around with the pipeline simulator and came up with this:

"[EEE ]MMM [ ]d[ yyyy] HH:mm:ss[.nnn][ z]" 

I haven't tested all cases yet, but this does seem to catch most of them. One caveat, I truncated the fractional seconds down to three digits (millisecond precision). The date processor does this already, so I don't think this is a problem.

[jrmolin]

I agree! I was getting some weird errors when updating, and I have to use the .SSS instead of .n, because the .n doesn't actually get output.

[taylor-swanson]

Okay, can confirm, I did test the following and all tests pass, except one, where event.timezone: "UTC" shows up in the results 🤷

 # # Parse the date included in FTD logs # - date: if: ctx._temp_?.raw_date != null tag: parse_raw_date timezone: "{{{ event.timezone }}}" field: "_temp_.raw_date" formats: - "ISO8601" - "[EEE ]MMM [ ]d[ yyyy] HH:mm:ss[.nnnnnnnnn][.SSS][ z]" on_failure: # Try to re-parse as UTC to catch when TZ is invalid or unknown. - remove: field: event.timezone ignore_missing: true - date: if: ctx._temp_?.raw_date != null tag: "parse_raw_date_fallback" field: "_temp_.raw_date" formats: - "ISO8601" - "[EEE ]MMM [ ]d[ yyyy] HH:mm:ss[.nnnnnnnnn][.SSS][ z]"

By the way, I made a slight adjustment to the fractional seconds... nanoseconds is tried first, but will only match if there's 9 digits (as expected), or it will match against the milliseconds one.

As Michael mentioned, a couple more test cases are needed (especially with fractional seconds).

[elasticmachine]

Pinging @elastic/sec-deployment-and-devices (Team:Security-Deployment and Devices)

[taylor-swanson]

Updated changes seem fine to me. My original suggestion only supported milliseconds and nanoseconds, not microseconds. I don't think there's a clever way to do all of that in one pattern.

My only last request is that we have a nanosecond test case (can literally just copy one the microsecond case and add 3 extra digits at the end to make it nanoseconds).

[elasticmachine]

💚 Build Succeeded

• Buildkite Build
• Commit: ff76504

History

• 💚 Build #23321 succeeded 9a5d3a3
• 💚 Build #23248 succeeded cbaaea2

[elastic-sonarqube]

Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
100.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube

[taylor-swanson]

LGTM

[elastic-vault-github-plugin-prod]

Package cisco_asa - 2.43.1 containing this change is available at https://epr.elastic.co/package/cisco_asa/2.43.1/