[cisco_ios] Fix parsing of FQDN hostnames #13450
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters
Cisco hostnames support digits as the first character in the hostname, but this was not supported by the ingest pipeline, causing errors when ingesting documents with such names. This updates the pipeline to properly parse hostnames with a leading digit. This does not allow all-digit hostnames. While this could be a supported Cisco hostname, it causes confustion with the Cisco sequence number in some output formats, as the position of hostname and sequence number can be similar depending on the output format, and the grok patterns will match on both. So this excludes all-digit hostnames to maintain compatibility with all Cisco IOS output formats.
mjwolf added Integration:cisco_ios 
| Pinging @elastic/sec-deployment-and-devices (Team:Security-Deployment and Devices) |
mjwolf force-pushed the cisco_ios_hostname branch from a4b2ed0 to 82b5566 Compare mjwolf force-pushed the cisco_ios_hostname branch from 82b5566 to c5d2971 Compare 
🚀 Benchmarks reportTo see the full report comment with |
mjwolf changed the title 
ilyannn reviewed Apr 8, 2025
packages/cisco_ios/data_stream/log/elasticsearch/ingest_pipeline/default.yml Outdated Show resolved Hide resolved
qcorporation reviewed Apr 8, 2025
packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-fqdn.log-expected.json Show resolved Hide resolved
packages/cisco_ios/data_stream/log/elasticsearch/ingest_pipeline/default.yml Outdated Show resolved Hide resolved
mjwolf changed the title packages/cisco_ios/data_stream/log/elasticsearch/ingest_pipeline/default.yml Outdated Show resolved Hide resolved
|
💚 Build Succeeded
History
|
qcorporation approved these changes Apr 11, 2025
Contributor
qcorporation left a comment
qcorporation left a comment There was a problem hiding this comment.
Thanks for the updates
| Package cisco_ios - 1.30.1 containing this change is available at https://epr.elastic.co/package/cisco_ios/1.30.1/ |
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit. This suggestion is invalid because no changes were made to the code. Suggestions cannot be applied while the pull request is closed. Suggestions cannot be applied while viewing a subset of changes. Only one suggestion per line can be applied in a batch. Add this suggestion to a batch that can be applied as a single commit. Applying suggestions on deleted lines is not supported. You must change the existing code in this line in order to create a valid suggestion. Outdated suggestions cannot be applied. This suggestion has been applied or marked resolved. Suggestions cannot be applied from pending reviews. Suggestions cannot be applied on multi-line comments. Suggestions cannot be applied while the pull request is queued to merge. Suggestion cannot be applied right now. Please check back later.
Proposed commit message
In some cases messages with FQDN hostnames were not being parsed properly. The message body and header were not being properly parsed, so some header data (e.g.
event.code) was not being parsed. This corrects parsing of these cases.The problem was the most greedy case of consuming the most of the body into
messagewas hit before the case of properly parsing more header fields, so rearranging the patterns fixes things. This also reduces the number of patterns by combining very similar patterns.Checklist
changelog.ymlfile.[ ] I have verified that any added dashboard complies with Kibana's Dashboard good practices