[Arista NG Firewall]: Grok Parsing Errors Due to Updated Syslog Message Format #12175
Labels
Integration:arista_ngfw
Arista NG Firewall
needs:triage
Team:Security-Deployment and Devices
Deployment and Devices Security team [elastic/sec-deployment-and-devices]
Integration Name
Arista NG Firewall [arista_ngfw]
Dataset Name
log
Integration Version
1.2.0
Agent Version
8.17.0
Agent Output Type
elasticsearch
Elasticsearch Version
8.17.0
OS Version and Architecture
Kubuntu 24.04
Software/API Version
No response
Error Message
Provided Grok expressions do not match field value: [<13>Dec 22 09:21:53 INFO uvm[0]: {"timeStamp":"2024-12-22 09:21:53.169","flagged":false,"blocked":false,"sessionId":113689597121086,"ruleId":0,"class":"class com.untangle.app.firewall.FirewallEvent"}]
Event Original
<13>Dec 22 09:21:53 INFO uvm[0]: {"timeStamp":"2024-12-22 09:21:53.169","flagged":false,"blocked":false,"sessionId":113689597121086,"ruleId":0,"class":"class com.untangle.app.firewall.FirewallEvent"}
What did you do?
Basic configuration.
What did you see?
What did you expect to see?
Anything else?
I just reboot my firewall the other day, and that is when the issue started. It seems where there was previously two spaces after the
uvm[0]:
in the Syslog messages, the format was changed by Arista to have only a single space. The Grok pattern will need to be updated in account for either one or two spaces. Regex handles the issue with the new Grok pattern being:A PR will be pushed with a fix shortly.
The text was updated successfully, but these errors were encountered: