From 18186e9ba1f7d2b27330f58b54eb59ac18a987fd Mon Sep 17 00:00:00 2001 From: Michael Wolf Date: Wed, 14 Aug 2024 14:23:24 -0700 Subject: [PATCH] [cisco_ise] Improve handling of unset fields from source (#10754) Improve the handling of unset/null data fields, by checking for null before using the data in more processors. Some log messages do not set all expected fields. This adds more checks that data is not null attempting to run processors on these fields. This also adds some examples of log messages that do not populate some datafields to the pipeline tests. --------- Co-authored-by: Andrew Kroh --- packages/cisco_ise/changelog.yml | 5 + .../test-pipeline-passed-authentications.log | 1 + ...e-passed-authentications.log-expected.json | 41 ++++++ .../test-pipeline-tacacs-accounting.log | 1 + ...peline-tacacs-accounting.log-expected.json | 135 ++++++++++++++++++ .../pipeline_passed_authentications.yml | 32 ++++- .../pipeline_tacacs_accounting.yml | 1 + packages/cisco_ise/manifest.yml | 2 +- 8 files changed, 211 insertions(+), 7 deletions(-) diff --git a/packages/cisco_ise/changelog.yml b/packages/cisco_ise/changelog.yml index 2a219966d47..f2eaa2237bf 100644 --- a/packages/cisco_ise/changelog.yml +++ b/packages/cisco_ise/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.22.4" + changes: + - description: Improve handling of empty data fields + type: bugfix + link: https://github.com/elastic/integrations/pull/10754 - version: "1.22.3" changes: - description: Fix the Cisco_ISE toggle description for filestream input diff --git a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-passed-authentications.log b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-passed-authentications.log index 5e9d7123e7a..a5c53b5fbe1 100644 --- a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-passed-authentications.log +++ b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-passed-authentications.log @@ -3,3 +3,4 @@ <181>Feb 23 21:44:54 cisco-ise-host CISE_Passed_Authentications 0000000028 1 0 2021-02-23 21:44:54.276 +00:00 0000001707 5233 NOTICE Passed-Authentication: TrustSec Data Download Succeeded, ConfigVersionId=9, Device IP Address=81.2.69.144, DestinationIPAddress=81.2.69.144, DestinationPort=1645, UserName=#CTSREQUEST#, Protocol=Radius, RequestLatency=281, NetworkDeviceName=ASAv-vpn, User-Name=#CTSREQUEST#, NAS-IP-Address=81.2.69.144, NAS-Port=2, NAS-Port-Type=Virtual, cisco-av-pair=cts-environment-version=1, cisco-av-pair=cts-environment-data=ASAv-vpn, cisco-av-pair=cts-device-capability=env-data-fragment, cisco-av-pair=cts-pac-opaque=****, cisco-av-pair=coa-push=true, NetworkDeviceProfileName=Cisco, NetworkDeviceProfileId=8ade1f15-aef1-4a9a-8158-d02e835179db, IsThirdPartyDeviceFlow=false, AcsSessionID=ise/403491114/1, SelectedAccessService=NDAC_SGT_Service, Step=11001, Step=11017, Step=11117, Step=15012, Step=15036, Step=15006, Step=11002, NetworkDeviceGroups=Location#All Locations#dCloud, NetworkDeviceGroups=Device Type#All Device Types#Security Devices#VPN, AuthorizationPolicyMatchedRule=Default, CPMSessionID=c612851bJ4_5zUNfXSy7PCu6hSY3K1tPzLJOLXwVfJMIFdTrUjg, ISEPolicySetName=NetworkDeviceAuthorization, DTLSSupport=Unknown, Network Device Profile=Cisco, Location=Location#All Locations#dCloud, Device Type=Device Type#All Device Types#Security Devices#VPN, Response={Class=CACS:c612851bJ4_5zUNfXSy7PCu6hSY3K1tPzLJOLXwVfJMIFdTrUjg:ise/403491114/1; cisco-av-pair=cts:server-list=CTSServerList1-0001; cisco-av-pair=cts:security-group-tag=0002-11; cisco-av-pair=cts:environment-data-expiry=86400; cisco-av-pair=cts:security-group-table=0001-46; }, <181>Mar 3 09:11:58 cisco-ise-host CISE_Passed_Authentications 0000082517 1 0 2022-03-03 09:11:58.729 +00:00 0000082584 5239 NOTICE RADIUS: NAS problem was fixed, ConfigVersionId=1626, NAS-IP-Address=81.2.69.145, MisconfiguredClientFixReason=Silent, Step=5239, <181>Mar 3 09:11:58 cisco-ise-host CISE_Passed_Authentications 0000082547 3 1 ConfigVersionId=1626, NAS-IP-Address=81.2.69.144, MisconfiguredClientFixReason=Silent, Step=5234, +<181>Jul 1 06:49:05 cisco-ise-host CISE_Passed_Authentications 0006591647 18 11 Domain trust is one-way, StepData=120=fhgcg.local,Domain trust is one-way, StepData=121=fgfcx.local,Domain trust is one-way, StepData=122=gfhbnft.local,Domain trust is one-way, StepData=123=dthth.local,Domain trust is one-way, StepData=124=gkzjf.local,Domain trust is one-way, StepData=125=fjzhjhz.dfth-fzt.com,Domain trust is one-way, StepData=126=drzg.local,Domain trust is one-way, StepData=127=fzjh.local,Domain trust is one-way, StepData=128=zjn.local,Domain trust is one-way, StepData=129=fzjfg.jzg.de,Domain trust is one-way, StepData=130=gzjz.local,Domain trust is one-way, StepData=131=esfs.local,Domain trust is one-way, StepData=132=drghgh.local,Domain trust is one-way, StepData=133=rthhtd.local,Domain trust is one-way, StepData=134=rtzh.local,Domain trust is one-way, StepData=135=fzjfhj.local,Domain trust is one-way, StepData=136=kgzhf.local,Domain trust is one-way, diff --git a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-passed-authentications.log-expected.json b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-passed-authentications.log-expected.json index e287589ca4e..9de33461dd3 100644 --- a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-passed-authentications.log-expected.json +++ b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-passed-authentications.log-expected.json @@ -640,6 +640,47 @@ "tags": [ "preserve_original_event" ] + }, + { + "@timestamp": "2024-07-01T06:49:05.000Z", + "cisco_ise": { + "log": { + "category": { + "name": "CISE_Passed_Authentications" + }, + "message": { + "id": "0006591647" + }, + "segment": { + "number": 11, + "total": 18 + } + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "kind": "event", + "original": "<181>Jul 1 06:49:05 cisco-ise-host CISE_Passed_Authentications 0006591647 18 11 Domain trust is one-way, StepData=120=fhgcg.local,Domain trust is one-way, StepData=121=fgfcx.local,Domain trust is one-way, StepData=122=gfhbnft.local,Domain trust is one-way, StepData=123=dthth.local,Domain trust is one-way, StepData=124=gkzjf.local,Domain trust is one-way, StepData=125=fjzhjhz.dfth-fzt.com,Domain trust is one-way, StepData=126=drzg.local,Domain trust is one-way, StepData=127=fzjh.local,Domain trust is one-way, StepData=128=zjn.local,Domain trust is one-way, StepData=129=fzjfg.jzg.de,Domain trust is one-way, StepData=130=gzjz.local,Domain trust is one-way, StepData=131=esfs.local,Domain trust is one-way, StepData=132=drghgh.local,Domain trust is one-way, StepData=133=rthhtd.local,Domain trust is one-way, StepData=134=rtzh.local,Domain trust is one-way, StepData=135=fzjfhj.local,Domain trust is one-way, StepData=136=kgzhf.local,Domain trust is one-way," + }, + "host": { + "hostname": "cisco-ise-host" + }, + "log": { + "syslog": { + "priority": 181 + } + }, + "message": "Domain trust is one-way, StepData=120=fhgcg.local,Domain trust is one-way, StepData=121=fgfcx.local,Domain trust is one-way, StepData=122=gfhbnft.local,Domain trust is one-way, StepData=123=dthth.local,Domain trust is one-way, StepData=124=gkzjf.local,Domain trust is one-way, StepData=125=fjzhjhz.dfth-fzt.com,Domain trust is one-way, StepData=126=drzg.local,Domain trust is one-way, StepData=127=fzjh.local,Domain trust is one-way, StepData=128=zjn.local,Domain trust is one-way, StepData=129=fzjfg.jzg.de,Domain trust is one-way, StepData=130=gzjz.local,Domain trust is one-way, StepData=131=esfs.local,Domain trust is one-way, StepData=132=drghgh.local,Domain trust is one-way, StepData=133=rthhtd.local,Domain trust is one-way, StepData=134=rtzh.local,Domain trust is one-way, StepData=135=fzjfhj.local,Domain trust is one-way, StepData=136=kgzhf.local,Domain trust is one-way,", + "related": { + "hosts": [ + "cisco-ise-host" + ] + }, + "tags": [ + "preserve_original_event" + ] } ] } \ No newline at end of file diff --git a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-tacacs-accounting.log b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-tacacs-accounting.log index 7fc9c49a99f..ddcb71efbe7 100644 --- a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-tacacs-accounting.log +++ b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-tacacs-accounting.log @@ -2,3 +2,4 @@ <182>Feb 21 19:13:08 cisco-ise-host CISE_TACACS_Accounting 0000000001 4 0 2020-02-21 19:13:08.328 +00:00 0018415636 3301 NOTICE Tacacs-Accounting: TACACS+ Accounting START, ConfigVersionId=1829, Device IP Address=81.2.69.144, RequestLatency=1, NetworkDeviceName=LDNBuildSW1, Type=Accounting, Privilege-Level=15, Service=Login, User=psxlms, Port=tty2, Remote-Address=81.2.69.144, Authen-Method=TacacsPlus, AVPair=task_id=35585, AVPair=timezone=GMT, AVPair=start_time=1585222245, AcctRequest-Flags=Start, Service-Argument=shell, AcsSessionID=ldnnacpsn1/359344348/954422, SelectedAccessService=Device Admin - TACACS, Step=13006, Step=15049, Step=15008, Step=15048, Step=22083, Step=13035, NetworkDeviceGroups=Location#All Locations#EMEA, NetworkDeviceGroups=Device Type#All Device Types#Switches, NetworkDeviceGroups=IPSEC#Is IPSEC Device, CPMSessionID=81.2.69.144Accounting647817909, Model Name=Unknown, Software Version=Unknown, Network Device Profile=Cisco, Location=Location#All Locations#EMEA, Device Type=Device Type#All Device Types#Switches, IPSEC=IPSEC#Is IPSEC Device, Response={AcctReply-Status=Success; }, Device Type=Device Type#All Device Types#Switches, IPSEC=IPSEC#Is IPSEC Device, Response={AcctReply-Status=Success; } <182>Feb 21 19:13:08 cisco-ise-host CISE_TACACS_Accounting 0000000001 4 0 2020-02-21 19:13:08.328 +00:00 0018415932 3302 NOTICE Tacacs-Accounting: TACACS+ Accounting STOP, ConfigVersionId=1829, Device IP Address=81.2.69.144, RequestLatency=1, NetworkDeviceName=LDNBuildSW1, Type=Accounting, Privilege-Level=1, Service=Login, User=psxlms, Port=tty2, Remote-Address=81.2.69.144, Authen-Method=TacacsPlus, AVPair=task_id=35585, AVPair=timezone=GMT, AVPair=start_time=1585222245, AVPair=disc-cause=1, AVPair=disc-cause-ext=9, AVPair=pre-session-time=0, AVPair=elapsed_time=127, AVPair=stop_time=1585222372, AcctRequest-Flags=Stop, Service-Argument=shell, AcsSessionID=ldnnacpsn1/359344348/954446, SelectedAccessService=Device Admin - TACACS, Step=13006, Step=15049, Step=15008, Step=15048, Step=22084, Step=13035, NetworkDeviceGroups=Location#All Locations#EMEA, NetworkDeviceGroups=Device Type#All Device Types#Switches, NetworkDeviceGroups=IPSEC#Is IPSEC Device, CPMSessionID=81.2.69.144Accounting2791676098, Model Name=Unknown, Software Version=Unknown, Network Device Profile=Cisco, Location=Location#All Locations#EMEA, Device Type=Device Type#All Device Types#Switches, IPSEC=IPSEC#Is IPSEC Device, Response={AcctReply-Status=Success; }, Model Name=Unknown, Software Version=Unknown, Network Device Profile=Cisco, Location=Location#All Locations#EMEA, Device Type=Device Type#All Device Types#Switches, IPSEC=IPSEC#Is IPSEC Device, Response={AcctReply-Status=Success;} <182>Feb 21 19:13:08 cisco-ise-host CISE_TACACS_Accounting 0000000001 4 1 ConfigVersionId=1856, Device IP Address=81.2.69.144, RequestLatency=6, NetworkDeviceName=LDNBuildSW1, Type=Accounting, Privilege-Level=1, Service=Login, User=psxlms, Port=tty2, Remote-Address=81.2.69.144, Authen-Method=TacacsPlus, AVPair=task_id=35585, AVPair=timezone=GMT, AVPair=start_time=1585222245, AVPair=disc-cause=1, AVPair=disc-cause-ext=9, AVPair=pre-session-time=0, AVPair=elapsed_time=127, AVPair=stop_time=1585222372, AcctRequest-Flags=Stop, Service-Argument=shell, AcsSessionID=ldnnacpsn1/359344348/954446, SelectedAccessService=Device Admin - TACACS, Step=13006, Step=15049, Step=15008, Step=15048, Step=22084, Step=13035, NetworkDeviceGroups=Location#All Locations#EMEA, NetworkDeviceGroups=Device Type#All Device Types#Switches, NetworkDeviceGroups=IPSEC#Is IPSEC Device, Response={AcctReply-Status=Success; }, Model Name=Unknown, Software Version=Unknown, Network Device Profile=Cisco, Location=Location#All Locations#EMEA, Device Type=Device Type#All Device Types#Switches, IPSEC=IPSEC#Is IPSEC Device, Response={AcctReply-Status=Success;} +<181>Jul 12 08:49:05 cisco-ise-host CISE_TACACS_Accounting 0006616665 2 0 2024-07-12 08:49:05.018 +02:00 17627964199 3300 NOTICE Tacacs-Accounting: TACACS+ Accounting with Command, ConfigVersionId=280, Device IP Address=81.2.69.144, CmdSet=[ CmdAV=show ip arp vrf vlan1111-vrf ], RequestLatency=5, NetworkDeviceName=rt333-rk000009, Type=Accounting, Privilege-Level=15, Service=Login, User=user, Port=tty3, Remote-Address=81.2.69.145, Authen-Method=TacacsPlus, AVPair=task_id=34866, AVPair=timezone=CEST, AVPair=start_time=1720766945, AVPair=priv-lvl=1, AcctRequest-Flags=Stop, Service-Argument=shell, AcsSessionID=mgtise001/498316448/86232573, SelectedAccessService=Default Device Admin, Step=13006, Step=15049, Step=15008, Step=15048, Step=15048, Step=13035, NetworkDeviceGroups=Location#All Locations#All41S#DC#EQ-FR7, NetworkDeviceGroups=Device Type#All Device Types#Router, NetworkDeviceGroups=IPSEC#Is IPSEC Device#No, CPMSessionID=111095075910.202.200.10013807Accounting1110950759, Network Device Profile=Cisco, diff --git a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-tacacs-accounting.log-expected.json b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-tacacs-accounting.log-expected.json index 09bd7bda11b..92d3017244c 100644 --- a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-tacacs-accounting.log-expected.json +++ b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-tacacs-accounting.log-expected.json @@ -619,6 +619,141 @@ "user": { "name": "psxlms" } + }, + { + "@timestamp": "2024-07-12T08:49:05.018+02:00", + "cisco_ise": { + "log": { + "acct": { + "request": { + "flags": "Stop" + } + }, + "acs": { + "session": { + "id": "mgtise001/498316448/86232573" + } + }, + "authen_method": "TacacsPlus", + "avpair": { + "priv_lvl": 1, + "start_time": "2024-07-12T06:49:05.000Z", + "task_id": "34866", + "timezone": "CEST" + }, + "category": { + "name": "CISE_TACACS_Accounting" + }, + "cmdset": "[ CmdAV=show ip arp vrf vlan1111-vrf ]", + "config_version": { + "id": 280 + }, + "cpm": { + "session": { + "id": "111095075910.202.200.10013807Accounting1110950759" + } + }, + "message": { + "code": "3300", + "description": "Tacacs-Accounting: TACACS+ Accounting with Command", + "id": "0006616665" + }, + "network": { + "device": { + "groups": [ + "Location#All Locations#All41S#DC#EQ-FR7", + "Device Type#All Device Types#Router", + "IPSEC#Is IPSEC Device#No" + ], + "name": "rt333-rk000009", + "profile": "Cisco" + } + }, + "port": "tty3", + "privilege": { + "level": 15 + }, + "request": { + "latency": 5 + }, + "segment": { + "number": 0, + "total": 2 + }, + "selected": { + "access": { + "service": "Default Device Admin" + } + }, + "service": { + "argument": "shell", + "name": "Login" + }, + "step": [ + "13006", + "15049", + "15008", + "15048", + "15048", + "13035" + ], + "type": "Accounting" + } + }, + "client": { + "ip": "81.2.69.144" + }, + "destination": { + "ip": "81.2.69.145" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "tacacs-accounting", + "category": [ + "configuration" + ], + "code": "3300", + "kind": "event", + "original": "<181>Jul 12 08:49:05 cisco-ise-host CISE_TACACS_Accounting 0006616665 2 0 2024-07-12 08:49:05.018 +02:00 17627964199 3300 NOTICE Tacacs-Accounting: TACACS+ Accounting with Command, ConfigVersionId=280, Device IP Address=81.2.69.144, CmdSet=[ CmdAV=show ip arp vrf vlan1111-vrf ], RequestLatency=5, NetworkDeviceName=rt333-rk000009, Type=Accounting, Privilege-Level=15, Service=Login, User=user, Port=tty3, Remote-Address=81.2.69.145, Authen-Method=TacacsPlus, AVPair=task_id=34866, AVPair=timezone=CEST, AVPair=start_time=1720766945, AVPair=priv-lvl=1, AcctRequest-Flags=Stop, Service-Argument=shell, AcsSessionID=mgtise001/498316448/86232573, SelectedAccessService=Default Device Admin, Step=13006, Step=15049, Step=15008, Step=15048, Step=15048, Step=13035, NetworkDeviceGroups=Location#All Locations#All41S#DC#EQ-FR7, NetworkDeviceGroups=Device Type#All Device Types#Router, NetworkDeviceGroups=IPSEC#Is IPSEC Device#No, CPMSessionID=111095075910.202.200.10013807Accounting1110950759, Network Device Profile=Cisco,", + "sequence": 17627964199, + "timezone": "+02:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "cisco-ise-host" + }, + "log": { + "level": "notice", + "syslog": { + "priority": 181, + "severity": { + "name": "notice" + } + } + }, + "message": "2024-07-12 08:49:05.018 +02:00 17627964199 3300 NOTICE Tacacs-Accounting: TACACS+ Accounting with Command, ConfigVersionId=280, Device IP Address=81.2.69.144, CmdSet=[ CmdAV=show ip arp vrf vlan1111-vrf ], RequestLatency=5, NetworkDeviceName=rt333-rk000009, Type=Accounting, Privilege-Level=15, Service=Login, User=user, Port=tty3, Remote-Address=81.2.69.145, Authen-Method=TacacsPlus, AVPair=task_id=34866, AVPair=timezone=CEST, AVPair=start_time=1720766945, AVPair=priv-lvl=1, AcctRequest-Flags=Stop, Service-Argument=shell, AcsSessionID=mgtise001/498316448/86232573, SelectedAccessService=Default Device Admin, Step=13006, Step=15049, Step=15008, Step=15048, Step=15048, Step=13035, NetworkDeviceGroups=Location#All Locations#All41S#DC#EQ-FR7, NetworkDeviceGroups=Device Type#All Device Types#Router, NetworkDeviceGroups=IPSEC#Is IPSEC Device#No, CPMSessionID=111095075910.202.200.10013807Accounting1110950759, Network Device Profile=Cisco,", + "related": { + "hosts": [ + "cisco-ise-host" + ], + "ip": [ + "81.2.69.144", + "81.2.69.145" + ], + "user": [ + "user" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "user" + } } ] } \ No newline at end of file diff --git a/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_passed_authentications.yml b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_passed_authentications.yml index 715c7315522..a3533fdcefc 100644 --- a/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_passed_authentications.yml +++ b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_passed_authentications.yml @@ -4,11 +4,13 @@ processors: field: event.kind value: event - grok: + tag: grok_message_0 field: message if: ctx.cisco_ise?.log?.segment?.number == 0 patterns: - "^%{TIMESTAMP_ISO8601:_tmp.timestamp} %{ISO8601_TIMEZONE:event.timezone} %{DATA:event.sequence:long} %{DATA:cisco_ise.log.message.code} %{DATA:log.syslog.severity.name} %{DATA:cisco_ise.log.message.description}, %{GREEDYDATA:cisco_ise.log.log_details_raw}," - grok: + tag: grok_message_1 field: message if: ctx.cisco_ise?.log?.segment?.number != null && ctx.cisco_ise.log.segment.number > 0 patterns: @@ -46,6 +48,7 @@ processors: field: error.message value: '{{{_ingest.on_failure_message}}}' - grok: + tag: grok_description field: cisco_ise.log.message.description if: ctx.cisco_ise?.log?.message?.description != null && ctx.cisco_ise.log.message.description != '' patterns: @@ -55,11 +58,13 @@ processors: field: event.action ignore_missing: true - append: + tag: append_authentication field: event.category value: authentication if: ctx.cisco_ise?.log?.message?.code != null && ['5200','5231','5233','5239'].contains(ctx.cisco_ise.log.message.code) ignore_failure: true - append: + tag: append_event_type field: event.type value: info if: ctx.cisco_ise?.log?.message?.code != null && ['5200','5231','5233','5239'].contains(ctx.cisco_ise.log.message.code) @@ -124,7 +129,8 @@ processors: target_field: cisco_ise.log.calling_station.id ignore_missing: true - foreach: - if: "ctx.cisco_ise?.log?.log_details['cisco-av-pair'] != null && ctx.cisco_ise?.log?.log_details['cisco-av-pair'] instanceof List" + tag: foreach_av_pair + if: ctx.cisco_ise?.log?.log_details != null && ctx.cisco_ise.log.log_details['cisco-av-pair'] instanceof List field: cisco_ise.log.log_details.cisco-av-pair processor: kv: @@ -138,7 +144,8 @@ processors: value: '{{{_ingest.on_failure_message}}}' ignore_missing: true - kv: - if: "ctx.cisco_ise?.log?.log_details['cisco-av-pair'] != null && !(ctx.cisco_ise?.log?.log_details['cisco-av-pair'] instanceof List)" + tag: kv_av_pair + if: ctx.cisco_ise?.log?.log_details != null && ctx.cisco_ise.log.log_details['cisco-av-pair'] instanceof String field : cisco_ise.log.log_details.cisco-av-pair target_field: cisco_ise.log.cisco_av_pair field_split: ', ' @@ -242,6 +249,7 @@ processors: field: cisco_ise.log.log_details.IpAddress ignore_missing: true - append: + tag: append_related_ip_0 field: related.ip value: '{{{source.ip}}}' if: ctx.source?.ip != null @@ -297,6 +305,7 @@ processors: field: cisco_ise.log.log_details.NAS-IP-Address ignore_missing: true - append: + tag: append_related_ip_1 field: related.ip value: '{{{cisco_ise.log.nas.ip}}}' if: ctx.cisco_ise?.log?.nas?.ip != null @@ -451,12 +460,14 @@ processors: ignore_failure: true ignore_missing: true - append: + tag: append_user_name_0 field: user.name value: '{{{cisco_ise.log.log_details.UserName}}}' if: ctx.cisco_ise?.log?.log_details?.UserName != null ignore_failure: true allow_duplicates: false - append: + tag: append_related_user_0 field: related.user value: '{{{cisco_ise.log.log_details.UserName}}}' if: ctx.cisco_ise?.log?.log_details?.UserName != null @@ -466,27 +477,31 @@ processors: field: cisco_ise.log.log_details.UserName ignore_missing: true - append: + tag: append_user_name_1 field: user.name value: '{{{cisco_ise.log.log_details.User-Name}}}' - if: ctx.cisco_ise?.log?.log_details['User-Name'] != null + if: ctx.cisco_ise?.log?.log_details != null && ctx.cisco_ise.log.log_details['User-Name'] != null allow_duplicates: false ignore_failure: true - append: + tag: append_related_user_1 field: related.user - value: '{{{cisco_ise.log.log_details.lUser-Name}}}' - if: ctx.cisco_ise?.log?.log_details['User-Name'] != null + value: '{{{cisco_ise.log.log_details.User-Name}}}' + if: ctx.cisco_ise?.log?.log_details != null && ctx.cisco_ise.log.log_details['User-Name'] != null allow_duplicates: false ignore_failure: true - remove: field: cisco_ise.log.log_details.User-Name ignore_missing: true - append: + tag: append_user_name_2 field: user.name value: '{{{cisco_ise.log.log_details.OriginalUserName}}}' if: ctx.cisco_ise?.log?.log_details?.OriginalUserName != null allow_duplicates: false ignore_failure: true - append: + tag: append_related_user_2 field: related.user value: '{{{cisco_ise.log.log_details.OriginalUserName}}}' if: ctx.cisco_ise?.log?.log_details?.OriginalUserName != null @@ -508,6 +523,7 @@ processors: field: cisco_ise.log.log_details.DestinationIPAddress ignore_missing: true - append: + tag: append_related_ip_2 field: related.ip value: '{{{destination.ip}}}' if: ctx.destination?.ip != null @@ -538,6 +554,7 @@ processors: field: cisco_ise.log.log_details.Device IP Address ignore_missing: true - append: + tag: append_related_ip_3 field: related.ip value: '{{{client.ip}}}' if: ctx.client?.ip != null @@ -557,4 +574,7 @@ on_failure: value: pipeline_error - append: field: error.message - value: '{{{ _ingest.on_failure_message }}}' + value: >- + Processor '{{ _ingest.on_failure_processor_type }}' + {{#_ingest.on_failure_processor_tag}}with tag '{{ _ingest.on_failure_processor_tag }}' + {{/_ingest.on_failure_processor_tag}}failed with message '{{ _ingest.on_failure_message }}' diff --git a/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_tacacs_accounting.yml b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_tacacs_accounting.yml index 01abfaa721b..167272e975e 100644 --- a/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_tacacs_accounting.yml +++ b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_tacacs_accounting.yml @@ -349,6 +349,7 @@ processors: ignore_failure: true - remove: field: cisco_ise.log.log_details.Response + ignore_failure: true - kv: field: _tmp.response target_field: cisco_ise.log.response diff --git a/packages/cisco_ise/manifest.yml b/packages/cisco_ise/manifest.yml index 982b09228c3..802556801da 100644 --- a/packages/cisco_ise/manifest.yml +++ b/packages/cisco_ise/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.3" name: cisco_ise title: Cisco ISE -version: "1.22.3" +version: "1.22.4" description: Collect logs from Cisco ISE with Elastic Agent. type: integration categories: