Skip to content

cisco_meraki: fix ECS mapping for translated IP and port #14389

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Jul 6, 2025
Merged

cisco_meraki: fix ECS mapping for translated IP and port #14389

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
cea4435
cisco_meraki: fix ECS mapping for translated IP and port
efd6 Jul 2, 2025
053fd45
address pr comment
efd6 Jul 4, 2025
File filter

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions packages/cisco_meraki/changelog.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,9 @@
# newer versions go on top
- version: "1.29.2"
changes:
- description: Map translated source and destination IP and port to correct ECS fields.
type: bugfix
link: https://github.com/elastic/integrations/pull/14389
- version: "1.29.1"
changes:
- description: Fix the parsing of connecting and reconnecting events for `anyconnect_vpn_connect` and `client_vpn_connect`.
Expand Down
1 change: 1 addition & 0 deletions packages/cisco_meraki/data_stream/log/_dev/test/pipeline/test-ip-flow.log
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,3 +8,4 @@
<134>1 1647479325.755292025 MX100 ip_flow_end src=10.0.0.234 dst=81.2.69.144 protocol=tcp sport=36498 dport=80 translated_src_ip=1.128.3.4 translated_port=36498
<134>1 1647479325.755292025 MX100 ip_flow_start src=10.0.0.234 dst=81.2.69.145 protocol=icmp translated_src_ip=1.128.3.4
<134>1 1647479325.755292025 MX100 ip_flow_end src=10.0.2.99 dst=10.0.0.1 protocol=icmp translated_dst_ip=89.160.20.112
<134>1 1751379284.245040794 FW_01 ip_flow_start src=10.140.40.72 dst=81.2.69.144 protocol=udp sport=18212 dport=53 translated_src_ip=1.128.3.4 translated_port=13710
209 changes: 93 additions & 116 deletions packages/cisco_meraki/data_stream/log/_dev/test/pipeline/test-ip-flow.log-expected.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,13 +41,11 @@
"hostname": "MX100"
},
"source": {
"as": {
"number": 1221,
"organization": {
"name": "Telstra Pty Ltd"
}
"ip": "10.0.0.234",
"nat": {
"ip": "1.128.3.4",
"port": 34294
},
"ip": "1.128.3.4",
"port": 34294
},
"tags": [
Expand Down Expand Up @@ -96,13 +94,11 @@
"hostname": "MX100"
},
"source": {
"as": {
"number": 1221,
"organization": {
"name": "Telstra Pty Ltd"
}
"ip": "10.0.0.234",
"nat": {
"ip": "1.128.3.4",
"port": 45061
},
"ip": "1.128.3.4",
"port": 45061
},
"tags": [
Expand Down Expand Up @@ -151,13 +147,11 @@
"hostname": "MX100"
},
"source": {
"as": {
"number": 1221,
"organization": {
"name": "Telstra Pty Ltd"
}
"ip": "10.0.0.234",
"nat": {
"ip": "1.128.3.4",
"port": 37401
},
"ip": "1.128.3.4",
"port": 37401
},
"tags": [
Expand Down Expand Up @@ -212,22 +206,11 @@
"hostname": "MX84"
},
"source": {
"as": {
"number": 209
},
"geo": {
"city_name": "Milton",
"continent_name": "North America",
"country_iso_code": "US",
"country_name": "United States",
"location": {
"lat": 47.2513,
"lon": -122.3149
},
"region_iso_code": "US-WA",
"region_name": "Washington"
"ip": "10.0.3.138",
"nat": {
"ip": "216.160.83.61",
"port": 61272
},
"ip": "216.160.83.61",
"port": 61272
},
"tags": [
Expand All @@ -241,25 +224,11 @@
"event_type": "ip_flow_end"
},
"destination": {
"as": {
"number": 29518,
"organization": {
"name": "Bredband2 AB"
}
},
"geo": {
"city_name": "Linköping",
"continent_name": "Europe",
"country_iso_code": "SE",
"country_name": "Sweden",
"location": {
"lat": 58.4167,
"lon": 15.6167
},
"region_iso_code": "SE-E",
"region_name": "Östergötland County"
"ip": "10.0.0.1",
"nat": {
"ip": "89.160.20.112",
"port": 53
},
"ip": "89.160.20.112",
"port": 53
},
"ecs": {
Expand Down Expand Up @@ -331,22 +300,11 @@
"hostname": "MX84"
},
"source": {
"as": {
"number": 209
},
"geo": {
"city_name": "Milton",
"continent_name": "North America",
"country_iso_code": "US",
"country_name": "United States",
"location": {
"lat": 47.2513,
"lon": -122.3149
},
"region_iso_code": "US-WA",
"region_name": "Washington"
"ip": "10.0.3.116",
"nat": {
"ip": "216.160.83.61",
"port": 38422
},
"ip": "216.160.83.61",
"port": 38422
},
"tags": [
Expand All @@ -360,25 +318,11 @@
"event_type": "ip_flow_end"
},
"destination": {
"as": {
"number": 29518,
"organization": {
"name": "Bredband2 AB"
}
},
"geo": {
"city_name": "Linköping",
"continent_name": "Europe",
"country_iso_code": "SE",
"country_name": "Sweden",
"location": {
"lat": 58.4167,
"lon": 15.6167
},
"region_iso_code": "SE-E",
"region_name": "Östergötland County"
"ip": "10.0.0.1",
"nat": {
"ip": "89.160.20.112",
"port": 53
},
"ip": "89.160.20.112",
"port": 53
},
"ecs": {
Expand Down Expand Up @@ -450,13 +394,11 @@
"hostname": "MX100"
},
"source": {
"as": {
"number": 1221,
"organization": {
"name": "Telstra Pty Ltd"
}
"ip": "10.0.0.234",
"nat": {
"ip": "1.128.3.4",
"port": 36498
},
"ip": "1.128.3.4",
"port": 36498
},
"tags": [
Expand Down Expand Up @@ -504,13 +446,10 @@
"hostname": "MX100"
},
"source": {
"as": {
"number": 1221,
"organization": {
"name": "Telstra Pty Ltd"
}
},
"ip": "1.128.3.4"
"ip": "10.0.0.234",
"nat": {
"ip": "1.128.3.4"
}
},
"tags": [
"forwarded",
Expand All @@ -523,25 +462,10 @@
"event_type": "ip_flow_end"
},
"destination": {
"as": {
"number": 29518,
"organization": {
"name": "Bredband2 AB"
}
},
"geo": {
"city_name": "Linköping",
"continent_name": "Europe",
"country_iso_code": "SE",
"country_name": "Sweden",
"location": {
"lat": 58.4167,
"lon": 15.6167
},
"region_iso_code": "SE-E",
"region_name": "Östergötland County"
},
"ip": "89.160.20.112"
"ip": "10.0.0.1",
"nat": {
"ip": "89.160.20.112"
}
},
"ecs": {
"version": "8.11.0"
Expand Down Expand Up @@ -569,6 +493,59 @@
"forwarded",
"preserve_original_event"
]
},
{
"@timestamp": "2025-07-01T14:14:44.245Z",
"cisco_meraki": {
"event_type": "ip_flow_start"
},
"destination": {
"geo": {
"city_name": "London",
"continent_name": "Europe",
"country_iso_code": "GB",
"country_name": "United Kingdom",
"location": {
"lat": 51.5142,
"lon": -0.0931
},
"region_iso_code": "GB-ENG",
"region_name": "England"
},
"ip": "81.2.69.144",
"port": 53
},
"ecs": {
"version": "8.11.0"
},
"event": {
"category": [
"network"
],
"original": "<134>1 1751379284.245040794 FW_01 ip_flow_start src=10.140.40.72 dst=81.2.69.144 protocol=udp sport=18212 dport=53 translated_src_ip=1.128.3.4 translated_port=13710",
"type": [
"info"
]
},
"message": "src=10.140.40.72 dst=81.2.69.144 protocol=udp sport=18212 dport=53 translated_src_ip=1.128.3.4 translated_port=13710",
"network": {
"protocol": "udp"
},
"observer": {
"hostname": "FW_01"
},
"source": {
"ip": "10.140.40.72",
"nat": {
"ip": "1.128.3.4",
"port": 13710
},
"port": 18212
},
"tags": [
"forwarded",
"preserve_original_event"
]
}
]
}
2 changes: 1 addition & 1 deletion packages/cisco_meraki/data_stream/log/_dev/test/pipeline/test-urls.log-expected.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -228,7 +228,7 @@
"name": "Windows",
"version": "10"
},
"version": "108.0."
"version": "108.0"
}
},
{
Expand Down
44 changes: 22 additions & 22 deletions packages/cisco_meraki/data_stream/log/elasticsearch/ingest_pipeline/ipflows.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,47 +17,47 @@ processors:
if: ctx._temp?.event != null
tag: kv_ip_flow_fields
# source field IP:port handling
- convert:
type: ip
field: translated_src_ip
target_field: source.ip
if: ctx?.translated_src_ip != null
- convert:
type: ip
field: src
target_field: source.ip
if: ctx?.translated_src_ip == null && ctx?.src != null
- convert:
field: translated_port
target_field: source.port
type: long
if: ctx?.translated_src_ip != null && ctx?.translated_port != null
if: ctx.src != null
- convert:
field: sport
target_field: source.port
type: long
if: ctx?.translated_src_ip == null && ctx?.sport != null
# destination field IP:port handling
if: ctx.sport != null
- convert:
type: ip
field: translated_dst_ip
target_field: destination.ip
if: ctx?.translated_dst_ip != null
field: translated_src_ip
target_field: source.nat.ip
if: ctx.translated_src_ip != null
- convert:
field: translated_port
target_field: source.nat.port
type: long
if: ctx.translated_port != null && ctx.source?.nat?.ip != null
# destination field IP:port handling
- convert:
type: ip
field: dst
target_field: destination.ip
if: ctx?.translated_dst_ip == null && ctx?.dst != null
if: ctx.dst != null
- convert:
field: translated_port
field: dport
target_field: destination.port
type: long
if: ctx?.translated_dst_ip != null && ctx?.translated_port != null
if: ctx.dport != null
- convert:
field: dport
target_field: destination.port
type: ip
field: translated_dst_ip
target_field: destination.nat.ip
if: ctx.translated_dst_ip != null
- convert:
field: translated_port
target_field: destination.nat.port
type: long
if: ctx?.translated_dst_ip == null && ctx?.dport != null
if: ctx.translated_port != null && ctx.destination?.nat?.ip != null
- rename:
field: protocol
target_field: network.protocol
Expand Down
2 changes: 1 addition & 1 deletion packages/cisco_meraki/manifest.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
format_version: "3.0.2"
name: cisco_meraki
title: Cisco Meraki
version: "1.29.1"
version: "1.29.2"
description: Collect logs from Cisco Meraki with Elastic Agent.
type: integration
categories:
Expand Down