Skip to content

[cisco_meraki] Parse of connecting and reconnecting events #14231

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Jun 19, 2025
Merged

[cisco_meraki] Parse of connecting and reconnecting events #14231

merged 5 commits into from
Jun 19, 2025

Conversation

@brijesh-elastic
Copy link
Collaborator

@brijesh-elastic brijesh-elastic commented Jun 16, 2025

Proposed commit message

cisco_meraki: Fix the parsing of connecting and reconnecting events for anyconnect_vpn_connect and client_vpn_connect.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

How to test this PR locally

  • Clone integrations repo.
  • Install elastic package locally.
  • Start elastic stack using elastic-package.
  • Move to integrations/packages/cisco_meraki directory.
  • Run the following command to run tests.

elastic-package test

Related issues
@brijesh-elastic brijesh-elastic self-assigned this Jun 16, 2025
@brijesh-elastic brijesh-elastic requested a review from a team as a code owner June 16, 2025 16:03
@brijesh-elastic brijesh-elastic added Integration:cisco_meraki Cisco Meraki bugfix Pull request that fixes a bug issue Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] Team:Sit-Crest Crest developers on the Security Integrations team [elastic/sit-crest-contractors] labels Jun 16, 2025
@elasticmachine
Copy link

elasticmachine commented Jun 16, 2025

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)
@elastic-vault-github-plugin-prod
Copy link

elastic-vault-github-plugin-prod bot commented Jun 16, 2025
edited
Loading

🚀 Benchmarks report

Package cisco_meraki 👍(0) 💚(1) 💔(1)

Expand to view
Data stream Previous EPS New EPS Diff (%) Result
events 500000 333333.33 -166666.67 (-33.33%) 💔

To see the full report comment with /test benchmark fullreport
@brijesh-elastic brijesh-elastic requested a review from efd6 June 17, 2025 05:27
@kcreddy
Copy link
Contributor

kcreddy commented Jun 17, 2025

/test
@kcreddy
Copy link
Contributor

kcreddy commented Jun 17, 2025

@brijesh-elastic, this doesn't seem to be an issue with CI. I was able to get similar output as CI locally. Please check.

diff --git a/packages/cisco_meraki/data_stream/log/_dev/test/pipeline/test-events.log-expected.json b/packages/cisco_meraki/data_stream/log/_dev/test/pipeline/test-events.log-expected.json index 95c5c74b29..d36643f01f 100644 --- a/packages/cisco_meraki/data_stream/log/_dev/test/pipeline/test-events.log-expected.json +++ b/packages/cisco_meraki/data_stream/log/_dev/test/pipeline/test-events.log-expected.json @@ -553,12 +553,20 @@ "observer": { "hostname": "MX_device_4" }, + "related": { + "user": [ + "user", + "user@example.com" + ] + }, "tags": [ "forwarded", "preserve_original_event" ], "user": { - "name": "user@example.com" + "domain": "example.com", + "email": "user@example.com", + "name": "user" } }, { @@ -1728,6 +1736,11 @@ "observer": { "hostname": "TCP9001" }, + "related": { + "user": [ + "user.name3" + ] + }, "tags": [ "forwarded", "preserve_original_event" diff --git a/packages/cisco_meraki/data_stream/log/_dev/test/pipeline/test-urls.log-expected.json b/packages/cisco_meraki/data_stream/log/_dev/test/pipeline/test-urls.log-expected.json index c6e3ec0610..b42049f515 100644 --- a/packages/cisco_meraki/data_stream/log/_dev/test/pipeline/test-urls.log-expected.json +++ b/packages/cisco_meraki/data_stream/log/_dev/test/pipeline/test-urls.log-expected.json @@ -228,7 +228,7 @@ "name": "Windows", "version": "10" }, - "version": "108.0" + "version": "108.0." } }, {
@elasticmachine
Copy link

elasticmachine commented Jun 17, 2025

💚 Build Succeeded

History

cc @brijesh-elastic
@elastic-sonarqube
Copy link

elastic-sonarqube bot commented Jun 17, 2025

Quality Gate passed Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
100.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube
@efd6
Copy link
Contributor

efd6 commented Jun 18, 2025
edited
Loading

This is a stack version issue; it's important to run the test expectation generation with the same stack version as is specified by the package's manifest kibana.version.
@brijesh-elastic
Copy link
Collaborator Author

brijesh-elastic commented Jun 18, 2025

This is a stack version issue; it's important to run the test expectation generation with the same stack version as is specified by the package's manifest kibana.version.

Thanks @efd6, Resolved in 579e558
efd6
efd6 reviewed Jun 18, 2025
View reviewed changes
packages/cisco_meraki/data_stream/log/_dev/test/pipeline/test-events.log-expected.json
Comment on lines +542 to +547
"type": [
"info",
"access",
"allowed",
"start"
]
Copy link
Contributor

@efd6 efd6 Jun 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why do the event.types (and event.categorys) differ between the client_vpn_connect and the anyconnect_vpn_connect cases?
Copy link
Collaborator Author

@brijesh-elastic brijesh-elastic Jun 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

by default, we're adding network in event.category and info in event.type (see here)
and for client_vpn_connect subtype, event categorization is performed again here.
Copy link
Contributor

@efd6 efd6 Jun 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Probably worth a follow-up issue. Not for now.
Copy link
Collaborator Author

@brijesh-elastic brijesh-elastic Jun 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sure.
efd6
efd6 approved these changes Jun 19, 2025
View reviewed changes
Copy link
Contributor

@efd6 efd6 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks
@efd6 efd6 merged commit f863e41 into elastic:main Jun 19, 2025
7 checks passed
@efd6 efd6 mentioned this pull request Jun 19, 2025
Closed
@elastic-vault-github-plugin-prod
Copy link

elastic-vault-github-plugin-prod bot commented Jun 19, 2025

Package cisco_meraki - 1.29.1 containing this change is available at https://epr.elastic.co/package/cisco_meraki/1.29.1/
shmsr pushed a commit to shmsr/integrations that referenced this pull request Jun 30, 2025
@brijesh-elastic @shmsr
[cisco_meraki] fix parsing of connecting/reconnecting events for anyc…
6a437da 
…onnect_vpn_connect and client_vpn_connect (elastic#14231)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

bugfix Pull request that fixes a bug issue Integration:cisco_meraki Cisco Meraki Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] Team:Sit-Crest Crest developers on the Security Integrations team [elastic/sit-crest-contractors]

4 participants

@brijesh-elastic @elasticmachine @kcreddy @efd6