Fix Cisco ASA/FTD msgs that use a host name as NAT address #18376
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sometimes the mapped source/destination IP field of an event is a hostname instead of an IP address. This caused ingestion of the event to fail. This patch makes the asa-ftd-pipeline to only populate those fields when a valid IP address is found. In the future we may want to revisit this if .nat.domain or .nat.address fields become available.
botelastic
bot
added
the
needs_team
adriansr
changed the title
adriansr
added
bug
needs_backport
|
Pinging @elastic/siem (Team:SIEM) |
💚 Build Succeeded
Expand to view the summary
Build stats
Test stats 🧪
Steps errorsExpand to view the steps failures
|
adriansr
added a commit
to adriansr/beats
that referenced
this pull request
May 14, 2020
…8376) Sometimes the mapped source/destination IP field of an event is a hostname instead of an IP address. This caused ingestion of the event to fail. This patch makes the asa-ftd-pipeline to only populate those fields when a valid IP address is found. In the future we may want to revisit this if .nat.domain or .nat.address fields become available. (cherry picked from commit b24ed97)
6 tasks
adriansr
added
v7.9.0
and removed
needs_backport
adriansr
added a commit
to adriansr/beats
that referenced
this pull request
May 14, 2020
…8376) Sometimes the mapped source/destination IP field of an event is a hostname instead of an IP address. This caused ingestion of the event to fail. This patch makes the asa-ftd-pipeline to only populate those fields when a valid IP address is found. In the future we may want to revisit this if .nat.domain or .nat.address fields become available. (cherry picked from commit b24ed97)
6 tasks
adriansr
added a commit
to adriansr/beats
that referenced
this pull request
May 14, 2020
…8376) Sometimes the mapped source/destination IP field of an event is a hostname instead of an IP address. This caused ingestion of the event to fail. This patch makes the asa-ftd-pipeline to only populate those fields when a valid IP address is found. In the future we may want to revisit this if .nat.domain or .nat.address fields become available. (cherry picked from commit b24ed97)
6 tasks
v1v
added a commit
to v1v/beats
that referenced
this pull request
May 15, 2020
…w-oss * upstream/master: (27 commits) Disable host fields for "cloud", panw, cef modules (elastic#18223) [docs] Rename monitoring collection from legacy internal collection to legacy collection (elastic#18504) Introduce auto detection of format (elastic#18095) Add additional fields to address issue elastic#18465 for googlecloud audit log (elastic#18472) Fix libbeat import path in seccomp policy template (elastic#18418) Address Okta input issue elastic#18530 (elastic#18534) [Ingest Manager] Avoid Chown on windows (elastic#18512) Fix Cisco ASA/FTD msgs that use a host name as NAT address (elastic#18376) [CI] Optimise stash/unstash performance (elastic#18473) Libbeat: Remove global loggers from libbeat/metric and libbeat/cloudid (elastic#18500) Fix PANW bad mapping of client/source and server/dest packets and bytes (elastic#18525) Add a file lock to the data directory on startup to prevent multiple agents. (elastic#18483) Followup to 12606 (elastic#18316) changed input from syslog to tcp/udp due to unsupported RFC (elastic#18447) Improve ECS field mappings in Sysmon module. (elastic#18381) [Elastic Agent] Cleaner output of inspect command (elastic#18405) [Elastic Agent] Pick up version from libbeat (elastic#18350) Update communitybeats.asciidoc (elastic#18470) [Metricbeat] Change visualization interval from 15m to >=15m (elastic#18466) docs: Fix typo in kerberos docs (elastic#18503) ...
adriansr
added a commit
that referenced
this pull request
May 15, 2020
…18546) Sometimes the mapped source/destination IP field of an event is a hostname instead of an IP address. This caused ingestion of the event to fail. This patch makes the asa-ftd-pipeline to only populate those fields when a valid IP address is found. In the future we may want to revisit this if .nat.domain or .nat.address fields become available. (cherry picked from commit b24ed97)
adriansr
added a commit
that referenced
this pull request
May 15, 2020
…18545) Sometimes the mapped source/destination IP field of an event is a hostname instead of an IP address. This caused ingestion of the event to fail. This patch makes the asa-ftd-pipeline to only populate those fields when a valid IP address is found. In the future we may want to revisit this if .nat.domain or .nat.address fields become available. (cherry picked from commit b24ed97)
adriansr
added a commit
that referenced
this pull request
May 15, 2020
…18544) Sometimes the mapped source/destination IP field of an event is a hostname instead of an IP address. This caused ingestion of the event to fail. This patch makes the asa-ftd-pipeline to only populate those fields when a valid IP address is found. In the future we may want to revisit this if .nat.domain or .nat.address fields become available. (cherry picked from commit b24ed97)
leweafan
pushed a commit
to leweafan/beats
that referenced
this pull request
Apr 28, 2023
…8376) (elastic#18546) Sometimes the mapped source/destination IP field of an event is a hostname instead of an IP address. This caused ingestion of the event to fail. This patch makes the asa-ftd-pipeline to only populate those fields when a valid IP address is found. In the future we may want to revisit this if .nat.domain or .nat.address fields become available. (cherry picked from commit c4ccf2a)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What does this PR do?
Fixes the ingestion of Cisco ASA/FTD events that have a hostname as a NAT target, where an IP was expected.
Why is it important?
Because some NAT setups were causing ingestion failures.
Checklist
CHANGELOG.next.asciidocorCHANGELOG-developer.next.asciidoc.Related issues