Issue with Cisco Integration

vdselastic · October 19, 2021, 2:02pm

hi,
I'm trying to make the cisco integration v0.11.5 works, but I have error with the ingest pipeline cisco.ios. Here's the error that I got when I put manually a document in the pipeline:

{
  "root_cause": [
    {
      "type": "illegal_argument_exception",
      "reason": "Provided Grok expressions do not match field value: [Client DH key range mismatch with maximum configured DH key on server]"
    }
  ],
  "type": "illegal_argument_exception",
  "reason": "Provided Grok expressions do not match field value: [Client DH key range mismatch with maximum configured DH key on server]"
}

I've check a bit everywhere and if I understand correctly the issue is that the logs that I'm receiving from my Cisco switch (in that case) is not in the format that the pipeline wanted.
I found this documentation (beats/cisco-ios-syslog.log at 52f226530db54fc3244d1f00e50ce4ec47e6b7fb · elastic/beats · GitHub)
On the git page that's showing some logs examples, and as thought the ones that I'm receiving are not build as the format of those.

and it fit because in my data out I can see that temp.ts and temp.timestamp (at the dissect processor) are already bad :

    "_temp_": {
      "message": "Client DH key range mismatch with maximum configured DH key on server",
      "ts": "<187>2069:Oct19",
      "timestamp": "%SSH-3-DH_RANGE_FAIL"
    }

Here's an example of what I'm receiving,
<187>2069: Oct 19 09:01:58.268 EDT: %SSH-3-DH_RANGE_FAIL: Client DH key range mismatch with maximum configured DH key on server
<187>3705657: .Oct 19 09:01:44 EDT: %LINK-3-UPDOWN: Interface GigabitEthernet4/0/46, changed state to up
<189>3705658: .Oct 19 09:01:45 EDT: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet4/0/46, changed state to up
<189>31214: Oct 19 08:55:56 EDT: %SMI-5-CLIENT: Smart Install Client feature is enabled. It is recommendedto disable the SMI feature when it is not actively used. To disablefeature execute 'no vstack' in configuration mode
<189>9919: Oct 18 13:52:52 EDT: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: username] [Source: x.x.x.x] [localport: 22] at 13:52:52 EDT Mon Oct 18 2021

I could by myself modify the cisco.ios pipeline but when a new version of the integration will release I'll loose every change that I made. So, here's my question am I missing something in my Cisco switch configuration or there's an issue in the integration and I have to inform an elastic developer about that?

If there's more information needed to help me with that just tell me I'll add it.
Thanks,

leandrojmp · October 20, 2021, 1:41pm

I think that you should open an issue in github so the elastic team can look into that, probably the message format wasn't test against the grok in the integration.

Since you can have a lot of different messages format and some of them does not happen frequently for most of the case, sometimes you will have one that wasn't tested.

Also, you do not need to change the original ingest pipeline, you can create another final pipeline to parse that message and set this pipeline as the final_pipeline for your index in your index template.

This final pipeline will execute after everything else.

vdselastic · October 21, 2021, 12:55pm

Excellent I'll open an issue in github and for the time being I'll work the final_pipeline.

Thank you for your answer,

system · November 18, 2021, 12:55pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.