Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

[Filebeat] decode_cef - recover from errors in the CEF header #30757

Closed
andrewkroh opened this issue Mar 9, 2022 · 1 comment · Fixed by #30938
Closed

[Filebeat] decode_cef - recover from errors in the CEF header #30757

andrewkroh opened this issue Mar 9, 2022 · 1 comment · Fixed by #30938
Assignees
@efd6
Labels
bug Filebeat Filebeat :Processors

Comments

@andrewkroh
Copy link
Member

andrewkroh commented Mar 9, 2022
edited
Loading

It would be nice if the CEF parser would recover from errors detected in the CEF header and try to resume parsing the CEF extensions. For example the header on this message is incomplete, but the remainder of the CEF extensions are good.

Feb 11 19:12:22 ec2-54-211-162-22 2022-02-11 19:12:22,962 sentinel - CEF:0|SentinelOne|Mgmt|activityID=1111111111111111111 activityType=3505 siteId=None siteName=None accountId=1222222222222222222 accountName=foo-bar mdr notificationScope=ACCOUNT

The expected behavior is that there would be an error.message in the event because the message is not valid per the spec, but all of the cef.extension values would be present. This is what you get today.

  {
    "cef": {
      "device": {
        "product": "Mgmt",
        "vendor": "SentinelOne"
      },
      "version": "0"
    },
    "error": {
      "message": "unexpected end of CEF event"
    },
    "observer": {
      "product": "Mgmt",
      "vendor": "SentinelOne"
    }
  }
@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Mar 9, 2022
@elasticmachine
Copy link
Collaborator

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Mar 9, 2022
@andrewkroh andrewkroh changed the title [Filbeat] decode_cef - recover from errors in the CEF header [Filebeat] decode_cef - recover from errors in the CEF header Mar 9, 2022
@efd6 efd6 self-assigned this Mar 21, 2022
@efd6 efd6 mentioned this issue Mar 21, 2022
Merged
4 tasks
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@efd6 efd6

Labels
bug Filebeat Filebeat :Processors
Projects
None yet
Milestone
No milestone
3 participants
@andrewkroh @elasticmachine @efd6