Skip to content

Commit 6c2e1e0

Browse files
authored
checkpoint: fix handling of R81 fields (#3800)
1 parent f029a52 commit 6c2e1e0

File tree

5 files changed

+83
-4
lines changed

5 files changed

+83
-4
lines changed

packages/checkpoint/changelog.yml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,9 @@
11
# newer versions go on top
2+
- version: "1.7.1"
3+
changes:
4+
- description: Fix handling of R81 fields.
5+
type: bugfix
6+
link: https://github.com/elastic/integrations/pull/3800
27
- version: "1.7.0"
38
changes:
49
- description: Add handling of authentication events.
Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
<134>1 2022-07-16T18:51:20Z fw1 CheckPoint 15190 - [action:"Accept"; contextnum:"1"; flags:"802832"; ifdir:"inbound"; ifname:"eth0.11"; logid:"6"; loguid:"{0x8f6ff124,0xbeef4db4,0xbad40b,0xa9525929}"; origin:"81.2.69.144"; originsicname:"CN=fwcp1,O=Client_Server_1.company.com.bg7ujf"; sequencenum:"8"; time:"1657997480"; version:"5"; __nsons:"0"; __p_dport:"0"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={2A2FD8C0-A383-3DE4-A515-13D2CB28A798};mgmt=Client_Server_1;date=1657919347;policy_name=Standard\]"; __pos:"7"; bytes:"11930"; client_inbound_bytes:"7475"; client_inbound_interface:"eth0.11"; client_inbound_packets:"15"; client_outbound_bytes:"6345"; client_outbound_packets:"22"; context_num:"1"; elapsed:"0"; hll_key:"12347634786232348735"; packets:"37"; product:"Log Update"; segment_time:"1657997472"; server_inbound_bytes:"6345"; server_inbound_packets:"11"; server_outbound_bytes:"7475"; server_outbound_interface:"eth0.10"; server_outbound_packets:"30"; start_time:"1657997472"]
Lines changed: 53 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,53 @@
1+
{
2+
"expected": [
3+
{
4+
"@timestamp": "2022-07-16T18:51:20.000Z",
5+
"checkpoint": {
6+
"context_num": "1",
7+
"elapsed": "0",
8+
"logid": "6"
9+
},
10+
"destination": {
11+
"bytes": 7475,
12+
"packets": 30
13+
},
14+
"ecs": {
15+
"version": "8.3.0"
16+
},
17+
"event": {
18+
"action": "Accept",
19+
"category": [
20+
"network"
21+
],
22+
"id": "{0x8f6ff124,0xbeef4db4,0xbad40b,0xa9525929}",
23+
"kind": "event",
24+
"original": "\u003c134\u003e1 2022-07-16T18:51:20Z fw1 CheckPoint 15190 - [action:\"Accept\"; contextnum:\"1\"; flags:\"802832\"; ifdir:\"inbound\"; ifname:\"eth0.11\"; logid:\"6\"; loguid:\"{0x8f6ff124,0xbeef4db4,0xbad40b,0xa9525929}\"; origin:\"81.2.69.144\"; originsicname:\"CN=fwcp1,O=Client_Server_1.company.com.bg7ujf\"; sequencenum:\"8\"; time:\"1657997480\"; version:\"5\"; __nsons:\"0\"; __p_dport:\"0\"; __policy_id_tag:\"product=VPN-1 \u0026 FireWall-1[db_tag={2A2FD8C0-A383-3DE4-A515-13D2CB28A798};mgmt=Client_Server_1;date=1657919347;policy_name=Standard\\]\"; __pos:\"7\"; bytes:\"11930\"; client_inbound_bytes:\"7475\"; client_inbound_interface:\"eth0.11\"; client_inbound_packets:\"15\"; client_outbound_bytes:\"6345\"; client_outbound_packets:\"22\"; context_num:\"1\"; elapsed:\"0\"; hll_key:\"12347634786232348735\"; packets:\"37\"; product:\"Log Update\"; segment_time:\"1657997472\"; server_inbound_bytes:\"6345\"; server_inbound_packets:\"11\"; server_outbound_bytes:\"7475\"; server_outbound_interface:\"eth0.10\"; server_outbound_packets:\"30\"; start_time:\"1657997472\"]",
25+
"sequence": 8,
26+
"start": "1657997472"
27+
},
28+
"network": {
29+
"bytes": 11930,
30+
"direction": "inbound",
31+
"packets": 37
32+
},
33+
"observer": {
34+
"ingress": {
35+
"interface": {
36+
"name": "eth0.11"
37+
}
38+
},
39+
"name": "81.2.69.144",
40+
"product": "Log Update",
41+
"type": "firewall",
42+
"vendor": "Checkpoint"
43+
},
44+
"source": {
45+
"bytes": 6345,
46+
"packets": 22
47+
},
48+
"tags": [
49+
"preserve_original_event"
50+
]
51+
}
52+
]
53+
}

packages/checkpoint/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml

Lines changed: 23 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -471,6 +471,10 @@ processors:
471471
field: checkpoint.ifdir
472472
target_field: network.direction
473473
ignore_missing: true
474+
- convert:
475+
field: checkpoint.bytes
476+
type: long
477+
ignore_missing: true
474478
- rename:
475479
field: checkpoint.bytes
476480
target_field: network.bytes
@@ -508,6 +512,10 @@ processors:
508512
} else if (iana_number == '132') {
509513
ctx.network.transport = 'sctp';
510514
}
515+
- convert:
516+
field: checkpoint.packets
517+
type: long
518+
ignore_missing: true
511519
- rename:
512520
field: checkpoint.packets
513521
target_field: network.packets
@@ -532,12 +540,12 @@ processors:
532540
field: checkpoint.ifname
533541
target_field: observer.ingress.interface.name
534542
ignore_missing: true
535-
if: ctx.network?.direction == 'inbound'
543+
if: ctx.observer?.ingress?.interface?.name == null && ctx.network?.direction == 'inbound'
536544
- rename:
537545
field: checkpoint.ifname
538546
target_field: observer.egress.interface.name
539547
ignore_missing: true
540-
if: ctx.network?.direction == 'outbound'
548+
if: ctx.observer?.egress?.interface?.name == null && ctx.network?.direction == 'outbound'
541549
- rename:
542550
field: checkpoint.type
543551
target_field: observer.type
@@ -843,16 +851,23 @@ processors:
843851
)
844852
- remove:
845853
field:
854+
- checkpoint.ifname
855+
- checkpoint.server_outbound_interface
846856
- checkpoint.client_outbound_packets
847857
- checkpoint.server_outbound_packets
848858
- checkpoint.client_outbound_bytes
849-
- checkpoint.sent_byte
850859
- checkpoint.server_outbound_bytes
860+
- checkpoint.client_inbound_packets
861+
- checkpoint.server_inbound_packets
862+
- checkpoint.client_inbound_bytes
863+
- checkpoint.server_inbound_bytes
864+
- checkpoint.sent_byte
851865
- checkpoint.received_bytes
852866
- checkpoint.service
853867
- checkpoint.xlatedport
854868
- checkpoint.s_port
855869
- checkpoint.xlatesport
870+
- checkpoint.contextnum
856871
- checkpoint.sequencenum
857872
- checkpoint.file_size
858873
- checkpoint.product
@@ -861,6 +876,11 @@ processors:
861876
- checkpoint.xlatedst
862877
- checkpoint.uid
863878
- checkpoint.time
879+
- checkpoint.__nsons
880+
- checkpoint.__p_dport
881+
- checkpoint.__pos
882+
- checkpoint.hll_key
883+
- checkpoint.segment_time
864884
- syslog5424_ts
865885
- _temp_
866886
ignore_missing: true

packages/checkpoint/manifest.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
name: checkpoint
22
title: Check Point
3-
version: "1.7.0"
3+
version: "1.7.1"
44
release: ga
55
description: Collect logs from Check Point with Elastic Agent.
66
type: integration

0 commit comments

Comments
 (0)