Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[iptables]: not properly parsing VyOS logs #10881

Open
buzzdeee opened this issue Aug 26, 2024 · 2 comments
Open

[iptables]: not properly parsing VyOS logs #10881

buzzdeee opened this issue Aug 26, 2024 · 2 comments
Labels
Integration:iptables Iptables needs:triage Team:Security-Deployment and Devices Deployment and Devices Security team [elastic/sec-deployment-and-devices]

Comments

@buzzdeee
Copy link

Integration Name

Iptables [iptables]

Dataset Name

No response

Integration Version

1.16.1

Agent Version

8.15.0

Agent Output Type

elasticsearch

Elasticsearch Version

8.15.0

OS Version and Architecture

Ubuntu 22.04.4 LTS

Software/API Version

No response

Error Message

No response

Event Original

[7598791.530254] [RULE_IN-2001-A] IN=eth0 OUT=eth1 MAC=00:1b:21:bc:c7:ba:52:54:00:4a:b3:d0:08:00 SRC=10.10.10.10 DST=10.11.11.11 LEN=84 TOS=0x00 PREC=0x00 TTL=62 ID=5751 DF PROTO=UDP SPT=49704 DPT=53 LEN=64

What did you do?

I forward IPTables logs from a VyOS firewall to an agent where I use the Custom UDP input, with Syslog parsing enabled.
Then in the custom ingestion pipeline for that dataset, I tell it to call the logs-iptables.log-1.16.1 pipeline.

What did you see?

some of these logs, at least some DROP logs, seem to be parsed fine with the UBIQUITY_LABEL, but others, at least what I saw now, ACCEPT or REJECT logs, have a "space" between the [UBIQUITY_LABEL] and the following IN=.... but the 4th grok pattern in the ingest pipeline Grok "Extracts values from "message" that match a grok pattern", looks alike:

%{GREEDYDATA}\[%{UBIQUITI_LABEL}\]%{IPTABLES}%{SPACE}

due to the missing space, it didn't matched, and moved on with the more general pattern below. So I only ended up with event.action: drop events, and the others don't have that field set.

What did you expect to see?

Since VyOS more or less the same naming convention for its rules, the IPTables integration should parse them same way as Ubiquity IPTables logs. So that event.action will properly be set to accept, drop, reject.

Anything else?

updating above mentioned grok pattern to:

%{GREEDYDATA}\[%{UBIQUITI_LABEL}\]%{SPACE}?%{IPTABLES}%{SPACE}

did the trick for me. now in discover, I can see "drop" and "accept", for some reason, when there are reject rules I only see "r", haven't yet found where the event.action is expanded from the letters to the long names.
@andrewkroh andrewkroh added Integration:iptables Iptables Team:Security-Deployment and Devices Deployment and Devices Security team [elastic/sec-deployment-and-devices] labels Aug 26, 2024
@elasticmachine
Copy link

Pinging @elastic/sec-deployment-and-devices (Team:Security-Deployment and Devices)

@buzzdeee
Copy link
Author

buzzdeee commented Sep 9, 2024
edited
Loading

my proposed solution seem to have caused a redundant nested repeat operator * error.
Seems SPACE is implemented as \s* and with that, the trailing ? caused errors, update to:

%{GREEDYDATA}\[%{UBIQUITI_LABEL}\]%{SPACE}%{IPTABLES}%{SPACE}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Integration:iptables Iptables needs:triage Team:Security-Deployment and Devices Deployment and Devices Security team [elastic/sec-deployment-and-devices]
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@andrewkroh @buzzdeee @elasticmachine and others