Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Arista NG Firewall] Correct Grok pattern due to change in Syslog message format. #12176

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

[Arista NG Firewall] Correct Grok pattern due to change in Syslog message format. #12176

wants to merge 2 commits into from

Conversation

MakoWish
Copy link
Contributor

@MakoWish MakoWish commented Dec 22, 2024
edited
Loading

Type of change

  • Bug

Proposed commit message

A recent update to Arista NG Firewall changed the Syslog message format slightly. Where there used to be two spaces after uvm[0]: , the new format only includes a single space. The following Grok pattern accounts for both the old double-spaced format and the new single-spaced format.

<%{NONNEGINT:log.syslog.priority:int}>%{SYSLOGTIMESTAMP:_temp_.raw_date} %{WORD}  %{NOTSPACE}\:[\s]+%{GREEDYDATA:_temp_.full_message}

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

Author's Checklist

  • Tested changes locally

How to test this PR locally

Modified the default ingest pipeline with the proposed Grok pattern change, and the messages are now parsing again properly.

Related issues

@MakoWish MakoWish changed the title Correct Grok pattern due to change in Syslog message format. [Arista NG Firewall] Correct Grok pattern due to change in Syslog message format. Dec 22, 2024
@MakoWish MakoWish marked this pull request as ready for review December 22, 2024 16:43
@MakoWish MakoWish requested a review from a team as a code owner December 22, 2024 16:43
@andrewkroh andrewkroh added bugfix Pull request that fixes a bug issue Integration:arista_ngfw Arista NG Firewall Team:Security-Deployment and Devices Deployment and Devices Security team [elastic/sec-deployment-and-devices] labels Dec 23, 2024
@elasticmachine
Copy link

Pinging @elastic/sec-deployment-and-devices (Team:Security-Deployment and Devices)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
bugfix Pull request that fixes a bug issue Integration:arista_ngfw Arista NG Firewall Team:Security-Deployment and Devices Deployment and Devices Security team [elastic/sec-deployment-and-devices]
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Arista NG Firewall]: Grok Parsing Errors Due to Updated Syslog Message Format
3 participants
@MakoWish @elasticmachine @andrewkroh