[AI-4493] DDS: Cisco Secure Web Appliance Integration v1.0.0 #18717
Conversation
datadog-agent-integrations-bot
bot
added
documentation
dev/testing
dev/tooling
release
qa/skip-qa
neko-dd
added
the
editorial review
|
Created a ticket for the Docs team to review. |
| # If for some reason id must be different than app_id, add the app_id in this field instead. | ||
| # If id and app_id already match, this field can be left blank. |
There was a problem hiding this comment.
Nit: We can probably remove this comment here
There was a problem hiding this comment.
Updated as Suggested.
| sources: | ||
| - syslog.severity | ||
| - type: pipeline | ||
| name: Processing of l4tm logs. |
There was a problem hiding this comment.
We can remove the . from the name here
| name: Processing of l4tm logs. | |
| name: Processing of l4tm logs |
There was a problem hiding this comment.
Updated as Suggested.
| name: Processing of l4tm logs. | ||
| enabled: true | ||
| filter: | ||
| query: "service:l4tm_logs " |
There was a problem hiding this comment.
Nit: extra space here
| query: "service:l4tm_logs " | |
| query: "service:l4tm_logs" |
There was a problem hiding this comment.
Updated as suggested.
| 98 10.10.10.10 TCP_DENIED_SSL/403 0 GET | ||
| https://www.virustotal.com:443/favicon.ico - NONE/- - | ||
| BLOCK_CUSTOMCAT_12-DefaultGroup-10.50.6.5-NONE-NONE-NONE-NONE-NONE | ||
| <"C_viru",-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,"-",-,"-","-","-","-","-","-","-",0.00,0,-,"-","-",-,"-",-,-,"-","-",-,-,"-",-,-> |
There was a problem hiding this comment.
This pipeline seems to make the assumption that these 44 attributes will always arrive in this exact order in a comma-separated list, and that for example all logs from the Cisco Web Appliance will have a "YouTube URL" attribute at the end of the list. What is enforcing this format in the web appliance?
There was a problem hiding this comment.
Yes, the integration supports the default (squid) log style for access logs and the same is also documented in the integration configuration steps.
There was a problem hiding this comment.
@ankitarajput-crest do you have a link to the cisco documentation that says this is the format?
There was a problem hiding this comment.
@obi11235 Here is the link to Cisco Secure Web Appliance documentation which provides the example log. Configuring the default log format option in the Cisco Secure Web Appliance Console will generate and forward the logs in exactly the same format as mentioned above and the same has been successfully validated in our lab environment as well.
| - 1726663202.810 4 10.10.10.10 TCP_DENIED/403 0 CONNECT | ||
| tunnel://FORCEPOINTDLP:443/ - NONE/- - | ||
| BLOCK_WEBCAT_12-DefaultGroup-match_network-NONE-NONE-NONE-NONE-NONE | ||
| <"nc",ns,1,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,"nc",-,"-","-","-","Unknown","Unknown","-","-",0.00,0,-,"-","-",-,"-",-,-,"-","-",-,-,"-",-,-> |
There was a problem hiding this comment.
Why are some of the attributes in this list - but others are "-"?
There was a problem hiding this comment.
The logs can have both - and "-" and hence the grok parser is designed to handle attributes seamlessly, regardless of whether they are enclosed in double quotes or not.
madhavpandya-crest
dismissed stale reviews from HadhemiDD, steveny91, and michaelcretzman
via
0ecebd3
datadog-assets
bot
added
agent/review-requested
docs/requested-changes
and removed
agent/approved
docs/approved
labels
madhavpandya-crest
requested review from
nhinsch,
michaelcretzman,
steveny91 and
HadhemiDD
michaelcretzman
requested review from
a team
and removed request for
michaelcretzman and
a team
What does this PR do?
PR for a new integration Cisco Secure Web Appliance 1.0.0
Additional Notes
-- OOTB detection rules JSON would be shared separately with the required teams as a part of separate repository .
-- Since during the standard attribute remapping we are not preserving the source attributes as per suggested best practices, it would result in filters using these standard attributes populating the values of other integrations as well as per current datadog behavior.
Review checklist (to be filled by reviewers)
qa/skip-qalabel if the PR doesn't need to be tested during QA.backport/<branch-name>label to the PR and it will automatically open a backport PR once this one is merged