Grok error in official Azure integration

nemhods · May 16, 2023, 3:24pm

Hey,

the Azure integration currently (I'm using 8.7.0) fails to ingest some Azure Activity Logs with IPv6 source addresses. The reason is this processor:

- grok:
    field: azure.activitylogs.callerIpAddress
    patterns:
      - \[%{IPORHOST:source.ip}\]:%{INT:source.port:int}
      - "%{IPORHOST:source.ip}:%{INT:source.port:int}"
      - "%{IPORHOST:source.ip}"
    ignore_missing: true
    ignore_failure: true

Given a CallerIPAddress of 2001:0db8:85a3:0000:0000:8a2e:0370:7334, the second GROK pattern will match, yielding:

{
  "source": {
    "port": 0,
    "ip": "2001"
  }
}

This document fails to ingest because '2001' is not an IP string literal.

I solved it by changing the order of the patterns and checking for the plain %{IPORHOST:source.ip} first.

Am I getting this right? Should I open a bug report on github?

warkolm · May 17, 2023, 12:02am

Yes please!

Rios · May 17, 2023, 12:47pm

As every developer say, it's not a bug, it's a feature

nemhods · May 17, 2023, 6:22pm

I found a pull request with extensive discussion - it's not as simple as it seems! Also, fleet may install slightly different pipelines than the latest Filebeat. TIL.

github.com/elastic/beats

Draft: Allow parsing of IPv6 addresses in ingest pipeline

elastic:main ← cFire:34277-azure-ipv6

opened 11:54AM - 25 Jan 23 UTC

cFire

+6 -0

@zmoog: Draft PR for #34277. Will add test cases soon. - Enhancement ## Wh…at does this PR do? Adds support for parsing IPv6 addresses in the filebeat Azure activitylogs, auditlogs, and platformlogs ingest pipelines. ## Why is it important? Currently any logs from these Azure log source which have an IPv6 address as the source are not ingested into elasticsearch because the ingest pipeline throws an error when attempting to ingest these logs. ## Checklist - [x] My code follows the style guidelines of this project ~~- [ ] I have commented my code, particularly in hard-to-understand areas~~ - [ ] I have made corresponding changes to the documentation ~~- [ ] I have made corresponding change to the default configuration files~~ - [ ] I have added tests that prove my fix is effective or that my feature works - [ ] I have added an entry in `CHANGELOG.next.asciidoc` or `CHANGELOG-developer.next.asciidoc`. ## How to test this PR locally No easy test yet, test cases still need to be added ## Related issues - Closes #34277

system · June 14, 2023, 8:23pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.