Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[AWS Cloudtrail]: TLS Version dissect processor failure not handled #10615

Open
srilumpa opened this issue Jul 26, 2024 · 0 comments · May be fixed by #12273
Open

[AWS Cloudtrail]: TLS Version dissect processor failure not handled #10615

srilumpa opened this issue Jul 26, 2024 · 0 comments · May be fixed by #12273
Labels
Integration:aws AWS needs:triage Team:obs-ds-hosted-services Label for the Observability Hosted Services team [elastic/obs-ds-hosted-services]

Comments

@srilumpa
Copy link
Contributor

Integration Name

AWS [aws]

Integration Version

2.21.0

Agent Version

8.14

Agent Output Type

elasticsearch

Elasticsearch Version

8.14

OS Version and Architecture

UbunTu 20.04 LTS

Software/API Version

No response

Error Message

Processor "dissect" with tag "" in pipeline "logs-aws.cloudtrail-2.21.0" failed with message "Unable to find match for dissect pattern: %{tls.version_protocol}v%{tls.version} against source: tlsVersion"

Event Original

I don't have access to the raw event directly but partially data shows the following:

{
  "json": {
    "awsRegion": "eu-west-1",
    "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0",
    "userIdentity": {},
    "additionalEventData": {
      "result": {
        "statusType": "success",
        "statusCode": "200"
      },
      "ipAddress": "1.2.3.4, 192.168.0.100",
      "action": "action",
      "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0",
      "additionalData": {},
      "user": {
        "isAnonymous": false,
        "orgRole": "Admin",
        "name": "[email protected]",
        "userId": 2,
        "orgId": 1
      },
      "timestamp": "2024-07-26T11:54:41.794979044Z"
    },
    "eventTime": "2024-07-26T11:54:41Z",
    "eventName": "action",
    "tlsDetails": {
      "tlsVersion": "tlsVersion",
      "cipherSuite": "cipherSuite",
      "clientProvidedHostHeader": "clientProvidedHostHeader"
    }
  }
}

What did you do?

Logs are collected using the Elastic Serverless Forwarder, no specific configuration whatsoever.

What did you see?

From time to time, logs' processing fails and the error.message field is set. The json.tlsDetails fields does not contain data. The raw event seems to contains only this:

{
"tlsDetails": {
      "tlsVersion": "tlsVersion",
      "cipherSuite": "cipherSuite",
      "clientProvidedHostHeader": "clientProvidedHostHeader"
    }
}

"Faulty" processor: https://github.com/elastic/integrations/blob/main/packages/aws/data_stream/cloudtrail/elasticsearch/ingest_pipeline/default.yml#L764.

What did you expect to see?

No error in processing the logs, empty fields for tls.version_protocol and tls.version. May be a conditional execution on the processor to avoid running it if json.tlsDetails.tlsVersion equals tlsVersion.

Anything else?

The following processors handling cipherSuite and clientProvidedHostHeader would need the same fix.
@andrewkroh andrewkroh added the Team:obs-ds-hosted-services Label for the Observability Hosted Services team [elastic/obs-ds-hosted-services] label Aug 15, 2024
@srilumpa srilumpa linked a pull request Jan 8, 2025 that will close this issue
Open
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Integration:aws AWS needs:triage Team:obs-ds-hosted-services Label for the Observability Hosted Services team [elastic/obs-ds-hosted-services]
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[BUG] Fix/aws cloudtrail tls version error srilumpa/integrations
2 participants
@srilumpa @andrewkroh